Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an existential threat for businesses vulnerable to an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as additional as yet unnamed malware, not only encrypt on-line data but also infect all configured system protection mechanisms. Data synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can render automated restoration useless and basically knocks the datacenter back to zero.

Getting back on-line applications and data following a ransomware event becomes a race against the clock as the victim tries its best to contain and remove the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are frequently launched at night, when penetrations tend to take more time to discover. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.

Progent offers a variety of services for protecting enterprises from ransomware events. Among these are user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning technology from SentinelOne to detect and suppress day-zero cyber threats intelligently. Progent also provides the services of expert ransomware recovery professionals with the skills and commitment to rebuild a compromised system as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, paying the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the vital elements of your IT environment. Absent access to full information backups, this requires a wide complement of skills, professional project management, and the ability to work 24x7 until the recovery project is done.

For two decades, Progent has made available professional Information Technology services for companies in San Bernardino and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of experience provides Progent the ability to knowledgably determine important systems and organize the surviving components of your network environment following a crypto-ransomware attack and rebuild them into an operational system.

Progent's ransomware team of experts utilizes best of breed project management tools to coordinate the complicated recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and Information Technology staff to assign priority to tasks and to get the most important applications back on line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A client escalated to Progent after their network system was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, possibly adopting technology exposed from the United States National Security Agency. Ryuk attacks specific companies with limited room for disruption and is one of the most profitable iterations of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with around 500 workers. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.


"I cannot tell you enough about the expertise Progent gave us during the most stressful period of (our) businesses survival. We may have had to pay the cybercriminals except for the confidence the Progent team provided us. That you were able to get our e-mail and key applications back into operation quicker than a week was beyond my wildest dreams. Every single expert I worked with or messaged at Progent was laser focused on getting my company operational and was working breakneck pace on our behalf."

Progent worked with the customer to rapidly identify and assign priority to the critical services that needed to be addressed in order to continue business operations:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To get going, Progent adhered to Anti-virus event mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the work of rebuilding Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the businesses' MRP software used Microsoft SQL Server, which depends on Active Directory for authentication to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then completed reinstallations and hard drive recovery on key servers. All Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Data Files) on user PCs in order to recover email messages. A recent off-line backup of the businesses manufacturing software made it possible to restore these required services back servicing users. Although a large amount of work still had to be done to recover fully from the Ryuk event, essential systems were restored rapidly:


"For the most part, the production operation survived unscathed and we did not miss any customer deliverables."

During the next couple of weeks key milestones in the restoration project were accomplished in tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought online and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user desktops were functioning as before the incident.

"A huge amount of what occurred during the initial response is nearly entirely a haze for me, but my management will not soon forget the countless hours each of the team accomplished to give us our business back. I have entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable business-killing catastrophe was averted through the efforts of top-tier professionals, a broad array of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus penetration detailed here could have been disabled with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed incident response procedures for information backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), I'm grateful for letting me get rested after we got past the first week. All of you did an incredible effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in San Bernardino a range of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services incorporate next-generation AI capability to uncover new variants of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to address the complete threat progression including filtering, infiltration detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup/restore software providers to create ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup processes and enable transparent backup and fast restoration of critical files, apps, system images, plus VMs. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural calamities, fire, malware such as ransomware, human mistakes, malicious employees, or software bugs. Managed services available in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver centralized management and world-class protection for your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, optimize and debug their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating appliances that need critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to keep your network operating at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that all potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based analysis tools to guard endpoint devices as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to address the entire malware attack progression including filtering, identification, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Desk: Call Center Managed Services
    Progent's Call Center services permit your IT staff to outsource Help Desk services to Progent or split activity for Help Desk services seamlessly between your in-house support resources and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth extension of your internal IT support group. Client interaction with the Service Desk, delivery of support services, problem escalation, trouble ticket creation and tracking, performance metrics, and management of the service database are consistent regardless of whether issues are taken care of by your internal network support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information system. Besides optimizing the security and functionality of your computer environment, Progent's software/firmware update management services permit your in-house IT team to focus on line-of-business projects and tasks that derive maximum business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured application and give your password you are asked to verify your identity on a device that only you have and that uses a different network channel. A wide range of devices can be utilized for this added form of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can register multiple verification devices. For more information about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.
For 24/7 San Bernardino Ransomware Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.