Ransomware : Your Worst IT Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that represents an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to cause destruction. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as more as yet unnamed malware, not only encrypt on-line information but also infiltrate many available system protection mechanisms. Files replicated to cloud environments can also be rendered useless. In a vulnerable data protection solution, it can make automated recovery hopeless and basically knocks the network back to zero.

Recovering services and data after a crypto-ransomware attack becomes a sprint against the clock as the targeted organization struggles to contain the damage and remove the virus and to restore mission-critical operations. Because ransomware requires time to move laterally, attacks are usually launched during nights and weekends, when attacks tend to take longer to discover. This compounds the difficulty of promptly mobilizing and organizing a capable response team.

Progent offers an assortment of help services for protecting enterprises from ransomware penetrations. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and disable day-zero cyber threats quickly. Progent in addition provides the services of experienced ransomware recovery engineers with the skills and commitment to re-deploy a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed keys to decrypt any of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the key components of your Information Technology environment. Without the availability of essential data backups, this requires a wide range of IT skills, top notch project management, and the willingness to work 24x7 until the task is completed.

For decades, Progent has offered expert Information Technology services for companies in Melbourne and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of expertise affords Progent the capability to efficiently ascertain necessary systems and consolidate the remaining pieces of your Information Technology system after a crypto-ransomware attack and configure them into an operational network.

Progent's recovery team has state-of-the-art project management systems to orchestrate the complicated recovery process. Progent appreciates the importance of working rapidly and in unison with a customer's management and Information Technology team members to prioritize tasks and to put key applications back on-line as fast as humanly possible.

Case Study: A Successful Ransomware Virus Recovery
A customer escalated to Progent after their organization was brought down by Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, suspected of adopting technology leaked from America's NSA organization. Ryuk goes after specific companies with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware malware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but ultimately utilized Progent.


"I can't thank you enough in regards to the help Progent gave us throughout the most fearful period of (our) company's survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you could get our messaging and production applications back online quicker than one week was amazing. Each expert I interacted with or communicated with at Progent was hell bent on getting my company operational and was working 24/7 to bail us out."

Progent worked hand in hand the client to rapidly determine and assign priority to the critical applications that needed to be restored to make it possible to restart departmental functions:

  • Active Directory
  • Electronic Messaging
  • MRP System
To get going, Progent followed Anti-virus event response best practices by stopping the spread and performing virus removal steps. Progent then started the steps of restoring Windows Active Directory, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange email will not operate without AD, and the client's financials and MRP applications used Microsoft SQL, which requires Active Directory for access to the data.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then charged ahead with rebuilding and storage recovery of mission critical applications. All Exchange schema and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Off-Line Folder Files) on team desktop computers to recover email messages. A recent offline backup of the customer's manufacturing software made them able to recover these vital applications back on-line. Although a lot of work still had to be done to recover totally from the Ryuk attack, core systems were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we produced all customer sales."

During the following couple of weeks critical milestones in the recovery project were completed in close cooperation between Progent consultants and the client:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100% restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the desktop computers were back into operation.

"A lot of what was accomplished in the initial days is nearly entirely a fog for me, but I will not soon forget the commitment all of you put in to give us our company back. I have utilized Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A likely business-killing disaster was dodged with dedicated experts, a wide spectrum of technical expertise, and tight collaboration. Although in retrospect the ransomware attack described here would have been identified and disabled with advanced security technology and best practices, team training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thanks very much for making it so I could get some sleep after we made it over the most critical parts. Everyone did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Melbourne a portfolio of online monitoring and security evaluation services designed to assist you to reduce the threat from crypto-ransomware. These services include next-generation AI technology to detect new strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to address the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup technology companies to create ProSight Data Protection Services (DPS), a selection of offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup operations and enable non-disruptive backup and rapid restoration of vital files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to provide web-based management and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of analysis for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and troubleshoot their networking hardware such as switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, finding devices that require critical software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the state of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT personnel and your Progent consultant so all looming problems can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based machine learning technology to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the complete malware attack progression including protection, identification, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Help Center managed services permit your information technology staff to offload Call Center services to Progent or split responsibilities for Service Desk support transparently between your internal network support resources and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless supplement to your internal IT support resources. User access to the Service Desk, provision of support, problem escalation, ticket generation and tracking, performance metrics, and management of the service database are consistent whether issues are taken care of by your in-house network support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a versatile and cost-effective solution for assessing, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. In addition to optimizing the security and reliability of your IT network, Progent's software/firmware update management services allow your IT staff to concentrate on line-of-business initiatives and tasks that deliver the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a protected online account and enter your password you are requested to verify who you are on a unit that only you possess and that uses a separate network channel. A broad selection of devices can be used for this added means of authentication such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. For details about ProSight Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time reporting plug-ins designed to integrate with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Melbourne 24/7/365 Crypto-Ransomware Cleanup Support Services, contact Progent at 800-462-8800 or go to Contact Progent.