Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that presents an existential threat for businesses poorly prepared for an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and continue to cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as daily as yet unnamed newcomers, not only encrypt online files but also infect many accessible system protection mechanisms. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, this can make automatic restoration hopeless and effectively knocks the datacenter back to square one.

Getting back services and data following a crypto-ransomware attack becomes a sprint against the clock as the victim struggles to contain the damage and eradicate the ransomware and to restore mission-critical operations. Because ransomware takes time to replicate, assaults are usually sprung during weekends and nights, when penetrations typically take longer to identify. This multiplies the difficulty of quickly assembling and organizing a capable response team.

Progent has a variety of solutions for protecting enterprises from crypto-ransomware events. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with machine learning technology from SentinelOne to identify and disable zero-day cyber attacks automatically. Progent in addition can provide the services of veteran crypto-ransomware recovery engineers with the track record and perseverance to re-deploy a compromised network as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that distant criminals will provide the needed keys to decipher any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the key parts of your IT environment. Without the availability of complete information backups, this calls for a wide complement of skills, professional project management, and the capability to work continuously until the recovery project is complete.

For twenty years, Progent has offered professional IT services for companies in Philadelphia and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the capability to efficiently identify necessary systems and re-organize the surviving parts of your IT environment following a crypto-ransomware attack and rebuild them into a functioning system.

Progent's security team deploys best of breed project management systems to orchestrate the complicated restoration process. Progent knows the urgency of acting swiftly and together with a customer's management and IT staff to assign priority to tasks and to put essential systems back on line as soon as possible.

Customer Case Study: A Successful Ransomware Attack Recovery
A client sought out Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, possibly using approaches leaked from America's NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most profitable incarnations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately called Progent.


"I cannot say enough about the support Progent provided us during the most fearful time of (our) businesses existence. We most likely would have paid the cybercriminals except for the confidence the Progent group provided us. That you could get our e-mail system and critical applications back sooner than one week was incredible. Each staff member I spoke to or texted at Progent was totally committed on getting us restored and was working all day and night to bail us out."

Progent worked hand in hand the customer to rapidly assess and assign priority to the most important areas that had to be addressed to make it possible to resume business operations:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to Anti-virus penetration response best practices by stopping the spread and clearing up compromised systems. Progent then started the process of recovering Windows Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Windows AD, and the client's accounting and MRP system used Microsoft SQL Server, which depends on Active Directory for authentication to the databases.

Within 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery on the most important servers. All Exchange schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Data Files) on user PCs and laptops to recover mail data. A not too old offline backup of the customer's accounting software made it possible to recover these required services back online for users. Although major work still had to be done to recover completely from the Ryuk damage, critical services were restored rapidly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer shipments."

Over the following couple of weeks important milestones in the recovery process were made through tight cooperation between Progent engineers and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Server containing more than 4 million historical emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were 100% restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"A huge amount of what went on that first week is mostly a haze for me, but we will not forget the countless hours each and every one of you accomplished to help get our business back. I've trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A likely business extinction disaster was evaded through the efforts of results-oriented professionals, a wide spectrum of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware attack detailed here could have been stopped with advanced security solutions and ISO/IEC 27001 best practices, staff education, and well thought out security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thanks very much for making it so I could get rested after we made it over the initial push. Everyone did an amazing effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Philadelphia a portfolio of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services include modern machine learning capability to uncover zero-day variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to address the entire threat progression including blocking, detection, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you prove compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent can also help your company to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services, a family of offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your data backup operations and enable transparent backup and fast recovery of critical files, apps, system images, plus VMs. ProSight DPS helps you recover from data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, user error, ill-intentioned employees, or application bugs. Managed services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to deliver centralized management and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper level of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, enhance and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network maps are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, locating devices that need critical software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network running efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT personnel and your assigned Progent consultant so that any potential issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis technology to defend endpoint devices and servers and VMs against modern malware attacks like ransomware and email phishing, which routinely escape traditional signature-matching AV tools. Progent ASM services protect local and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Help Center services allow your information technology staff to offload Support Desk services to Progent or split activity for Help Desk services seamlessly between your in-house support team and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your corporate IT support resources. End user access to the Help Desk, delivery of support, problem escalation, trouble ticket generation and updates, efficiency measurement, and management of the support database are consistent whether issues are taken care of by your corporate IT support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a flexible and affordable solution for assessing, testing, scheduling, applying, and documenting updates to your dynamic IT system. In addition to optimizing the security and functionality of your computer network, Progent's patch management services allow your IT staff to focus on line-of-business initiatives and activities that derive maximum business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo enables single-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected application and enter your password you are asked to confirm your identity via a device that only you possess and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized for this second form of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple verification devices. For details about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of in-depth reporting tools created to integrate with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7 Philadelphia Ransomware Repair Help, contact Progent at 800-462-8800 or go to Contact Progent.