Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses unprepared for an attack. Multiple generations of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and still inflict harm. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as daily unnamed newcomers, not only do encryption of on-line critical data but also infiltrate most configured system protection. Files replicated to the cloud can also be rendered useless. In a poorly designed data protection solution, it can make automatic recovery hopeless and effectively knocks the entire system back to zero.

Getting back on-line programs and information following a ransomware outage becomes a sprint against time as the victim struggles to stop lateral movement and clear the ransomware and to resume mission-critical activity. Because ransomware requires time to spread, penetrations are usually sprung at night, when successful penetrations typically take longer to detect. This compounds the difficulty of quickly mobilizing and orchestrating a qualified mitigation team.

Progent has an assortment of solutions for protecting enterprises from ransomware events. Among these are staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with machine learning capabilities from SentinelOne to identify and disable day-zero threats rapidly. Progent also offers the services of experienced ransomware recovery engineers with the skills and commitment to restore a compromised system as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware event, paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the codes to decrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the key elements of your IT environment. Without access to full information backups, this requires a wide range of skills, well-coordinated team management, and the ability to work non-stop until the job is completed.

For two decades, Progent has offered expert IT services for businesses in Philadelphia and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly understand critical systems and re-organize the remaining components of your IT system after a crypto-ransomware event and rebuild them into an operational system.

Progent's ransomware team utilizes top notch project management systems to orchestrate the complex recovery process. Progent understands the urgency of working quickly and in unison with a customer's management and IT resources to assign priority to tasks and to get the most important systems back on-line as soon as possible.

Case Study: A Successful Ransomware Incident Response
A small business sought out Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean government sponsored hackers, possibly using techniques exposed from America's NSA organization. Ryuk attacks specific companies with limited ability to sustain disruption and is one of the most lucrative examples of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago with around 500 staff members. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200K) and hoping for the best, but in the end called Progent.


"I can't speak enough about the help Progent provided us throughout the most fearful time of (our) company's survival. We would have paid the cyber criminals behind the attack if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail and key applications back into operation faster than 1 week was incredible. Every single expert I interacted with or texted at Progent was urgently focused on getting us restored and was working day and night on our behalf."

Progent worked hand in hand the customer to rapidly assess and assign priority to the most important systems that had to be addressed in order to continue departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the task of recovering Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the businesses' financials and MRP software used Microsoft SQL, which depends on Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery on needed servers. All Exchange data and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Email Off-Line Folder Files) on staff PCs and laptops to recover mail data. A not too old off-line backup of the businesses financials/ERP systems made it possible to restore these essential services back available to users. Although a large amount of work was left to recover completely from the Ryuk damage, core systems were restored quickly:


"For the most part, the assembly line operation did not miss a beat and we made all customer shipments."

Over the following couple of weeks critical milestones in the recovery process were accomplished through tight collaboration between Progent team members and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Exchange Server exceeding 4 million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the user workstations were back into operation.

"So much of what transpired in the early hours is mostly a fog for me, but my management will not forget the countless hours each of you accomplished to give us our business back. I've been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was a stunning achievement."

Conclusion
A possible enterprise-killing disaster was dodged due to hard-working professionals, a wide spectrum of technical expertise, and close collaboration. Although in retrospect the ransomware virus attack detailed here would have been identified and blocked with current security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well designed security procedures for information backup and applying software patches, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for letting me get some sleep after we got over the first week. All of you did an incredible effort, and if any of your team is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Philadelphia a range of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services include modern AI technology to detect new strains of crypto-ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including filtering, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup processes and enable non-disruptive backup and fast restoration of critical files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized control and world-class security for your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, track, enhance and debug their networking hardware such as routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that require critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT management staff and your assigned Progent consultant so that all potential issues can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior analysis tools to defend endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to manage the entire malware attack lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Support Desk services allow your IT team to offload Help Desk services to Progent or split activity for support services transparently between your in-house network support resources and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth supplement to your corporate network support organization. Client access to the Help Desk, provision of support services, issue escalation, ticket generation and tracking, performance measurement, and management of the support database are consistent whether incidents are resolved by your core IT support group, by Progent, or both. Read more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of all sizes a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your computer network, Progent's patch management services permit your IT team to concentrate on line-of-business projects and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation on iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a protected application and give your password you are asked to verify who you are on a unit that only you have and that uses a separate network channel. A wide selection of out-of-band devices can be utilized for this added means of authentication such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can register multiple validation devices. To find out more about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of in-depth reporting plug-ins designed to integrate with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Philadelphia 24-Hour CryptoLocker Cleanup Experts, contact Progent at 800-462-8800 or go to Contact Progent.