Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that represents an enterprise-level threat for organizations unprepared for an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for a long time and still cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with additional as yet unnamed newcomers, not only encrypt on-line files but also infiltrate all accessible system backups. Information synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, this can render automated restore operations hopeless and effectively knocks the entire system back to zero.

Recovering programs and information following a ransomware intrusion becomes a race against the clock as the targeted organization fights to stop lateral movement and clear the ransomware and to restore business-critical operations. Since ransomware takes time to move laterally, assaults are often launched at night, when successful attacks tend to take longer to notice. This multiplies the difficulty of promptly assembling and orchestrating a knowledgeable mitigation team.

Progent has a variety of help services for securing organizations from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with machine learning technology from SentinelOne to discover and disable day-zero cyber threats automatically. Progent in addition can provide the services of veteran crypto-ransomware recovery engineers with the track record and commitment to reconstruct a compromised environment as soon as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will return the needed codes to unencrypt any of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the mission-critical parts of your IT environment. Absent the availability of complete information backups, this requires a wide range of IT skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is done.

For twenty years, Progent has offered certified expert IT services for companies in San Bernardino and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise provides Progent the capability to efficiently ascertain critical systems and re-organize the remaining components of your Information Technology environment following a crypto-ransomware penetration and assemble them into a functioning network.

Progent's security group uses top notch project management tools to orchestrate the sophisticated restoration process. Progent knows the urgency of working swiftly and together with a customer's management and IT staff to prioritize tasks and to put key services back on line as fast as possible.

Customer Story: A Successful Ransomware Penetration Response
A customer contacted Progent after their network was penetrated by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, suspected of adopting approaches exposed from America's National Security Agency. Ryuk targets specific businesses with limited tolerance for operational disruption and is one of the most profitable iterations of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but ultimately called Progent.


"I can't speak enough in regards to the care Progent provided us throughout the most stressful period of (our) businesses survival. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent experts gave us. That you could get our messaging and essential servers back on-line quicker than seven days was incredible. Each person I interacted with or communicated with at Progent was hell bent on getting us operational and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly identify and assign priority to the most important systems that had to be addressed in order to continue business functions:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent followed Anti-virus event mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the steps of bringing back online Windows Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the customer's financials and MRP applications utilized Microsoft SQL Server, which needs Windows AD for access to the data.

In less than 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then assisted with rebuilding and storage recovery on mission critical systems. All Exchange data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on user workstations in order to recover mail information. A not too old offline backup of the businesses financials/MRP software made them able to recover these required programs back available to users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, core services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer sales."

Over the following couple of weeks important milestones in the restoration project were completed through close collaboration between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user desktops and notebooks were back into operation.

"A lot of what transpired in the initial days is nearly entirely a haze for me, but I will not soon forget the dedication each and every one of the team accomplished to help get our business back. I have trusted Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A potential business disaster was dodged with hard-working experts, a broad array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus attack described here would have been prevented with up-to-date security solutions and best practices, team education, and well designed incident response procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for making it so I could get rested after we made it through the first week. All of you did an incredible effort, and if any of your team is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in San Bernardino a range of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence technology to uncover zero-day strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to manage the entire threat lifecycle including protection, detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that meets your company's specific requirements and that allows you prove compliance with government and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup technology companies to create ProSight Data Protection Services (DPS), a family of management offerings that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and fast restoration of critical files/folders, apps, images, plus VMs. ProSight DPS lets you avoid data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, human mistakes, malicious employees, or software glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to provide web-based management and world-class protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, optimize and debug their connectivity hardware such as routers, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when problems are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, finding devices that need important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by tracking the health of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT staff and your Progent consultant so all potential issues can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and managing your IT documentation, you can save as much as 50% of time spent trying to find critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior analysis tools to defend endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. Progent ASM services protect local and cloud resources and offers a single platform to automate the complete threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Call Center Managed Services
    Progent's Call Center managed services enable your information technology team to offload Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal support group and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth supplement to your core support organization. Client interaction with the Help Desk, provision of support, escalation, ticket generation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are resolved by your corporate network support group, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT system. Besides maximizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business initiatives and activities that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected online account and give your password you are requested to confirm your identity via a device that only you have and that is accessed using a separate network channel. A wide range of out-of-band devices can be utilized for this second means of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. To find out more about Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting plug-ins created to work with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For San Bernardino 24-7 Ransomware Recovery Services, call Progent at 800-462-8800 or go to Contact Progent.