Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that poses an enterprise-level threat for organizations unprepared for an assault. Different versions of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional as yet unnamed newcomers, not only do encryption of online files but also infiltrate all available system protection mechanisms. Information replicated to cloud environments can also be encrypted. In a poorly architected data protection solution, it can render automated recovery hopeless and effectively sets the datacenter back to square one.

Retrieving programs and data following a crypto-ransomware intrusion becomes a race against time as the victim struggles to contain the damage and eradicate the virus and to restore mission-critical operations. Due to the fact that ransomware needs time to spread, assaults are frequently sprung at night, when successful attacks are likely to take more time to notice. This compounds the difficulty of rapidly assembling and coordinating an experienced response team.

Progent provides a variety of support services for protecting businesses from ransomware penetrations. These include team member training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security appliances with artificial intelligence technology from SentinelOne to discover and quarantine day-zero cyber attacks quickly. Progent in addition can provide the services of seasoned ransomware recovery consultants with the skills and commitment to rebuild a breached environment as quickly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the key elements of your IT environment. Absent access to essential data backups, this calls for a wide complement of skill sets, top notch team management, and the willingness to work continuously until the job is complete.

For decades, Progent has made available certified expert IT services for companies in Philadelphia and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to efficiently understand necessary systems and re-organize the surviving parts of your computer network system following a ransomware event and configure them into an operational system.

Progent's security team utilizes best of breed project management applications to orchestrate the sophisticated recovery process. Progent knows the importance of acting swiftly and in unison with a client's management and IT team members to prioritize tasks and to put key systems back on-line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A business contacted Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, possibly adopting techniques exposed from the United States NSA organization. Ryuk attacks specific companies with limited tolerance for disruption and is one of the most lucrative iterations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago and has around 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the beginning of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200K) and hoping for the best, but in the end reached out to Progent.


"I can't tell you enough in regards to the expertise Progent provided us throughout the most fearful time of (our) businesses survival. We may have had to pay the Hackers except for the confidence the Progent group afforded us. That you could get our messaging and essential applications back on-line faster than five days was something I thought impossible. Every single person I got help from or communicated with at Progent was laser focused on getting us restored and was working at all hours to bail us out."

Progent worked together with the client to rapidly assess and prioritize the essential systems that needed to be recovered to make it possible to continue departmental operations:

  • Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent followed ransomware event mitigation best practices by halting the spread and cleaning up infected systems. Progent then started the process of recovering Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Exchange email will not function without AD, and the businesses' financials and MRP applications used Microsoft SQL, which depends on Active Directory for access to the database.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated reinstallations and hard drive recovery on critical applications. All Exchange schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST data files (Outlook Off-Line Folder Files) on team PCs and laptops to recover mail data. A not too old offline backup of the customer's financials/MRP software made it possible to recover these vital services back online. Although a lot of work remained to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the production manufacturing operation was never shut down and we produced all customer orders."

Throughout the next month critical milestones in the recovery process were completed in close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the desktop computers were functioning as before the incident.

"So much of what transpired during the initial response is nearly entirely a fog for me, but I will not forget the countless hours each and every one of the team put in to give us our business back. I've entrusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A possible company-ending catastrophe was dodged due to results-oriented professionals, a broad range of knowledge, and close teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here would have been stopped with current cyber security technology and recognized best practices, team education, and properly executed security procedures for backup and applying software patches, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for letting me get some sleep after we made it through the first week. All of you did an impressive effort, and if anyone is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Philadelphia a variety of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include modern artificial intelligence technology to detect zero-day variants of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to address the entire threat progression including blocking, detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge tools packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that meets your company's unique needs and that allows you demonstrate compliance with government and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and allow non-disruptive backup and rapid recovery of important files, applications, system images, plus virtual machines. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or application glitches. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to provide centralized control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of analysis for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that need critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management technology to help keep your network running efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT staff and your assigned Progent consultant so that any potential issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can save up to half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. Progent ASM services protect local and cloud resources and offers a unified platform to address the entire threat lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Help Desk managed services enable your information technology group to outsource Support Desk services to Progent or split activity for Service Desk support seamlessly between your internal support staff and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a seamless extension of your core network support team. User interaction with the Service Desk, provision of technical assistance, problem escalation, ticket generation and tracking, efficiency metrics, and management of the service database are cohesive whether issues are taken care of by your core support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of all sizes a flexible and affordable solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. In addition to optimizing the protection and functionality of your IT environment, Progent's patch management services permit your IT staff to focus on line-of-business initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. Using 2FA, when you sign into a protected online account and enter your password you are requested to verify your identity on a unit that only you possess and that uses a different network channel. A broad range of devices can be utilized as this second means of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register several verification devices. To learn more about Duo two-factor identity validation services, see Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time reporting tools created to work with the industry's top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Philadelphia 24/7/365 Crypto-Ransomware Cleanup Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.