Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes unprepared for an attack. Versions of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with daily as yet unnamed newcomers, not only do encryption of on-line critical data but also infiltrate many configured system protection. Information synched to cloud environments can also be encrypted. In a poorly designed environment, it can make automated restoration impossible and basically sets the datacenter back to zero.

Getting back services and data after a crypto-ransomware intrusion becomes a race against time as the targeted business fights to contain and cleanup the virus and to restore business-critical activity. Due to the fact that crypto-ransomware requires time to spread, attacks are usually launched on weekends and holidays, when successful attacks typically take more time to recognize. This multiplies the difficulty of promptly marshalling and organizing a capable mitigation team.

Progent offers an assortment of support services for securing businesses from ransomware events. These include team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning capabilities from SentinelOne to discover and quarantine new cyber threats rapidly. Progent also offers the services of expert ransomware recovery professionals with the track record and perseverance to reconstruct a compromised environment as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the needed codes to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the mission-critical components of your IT environment. Without the availability of complete data backups, this calls for a wide range of skill sets, professional project management, and the ability to work 24x7 until the task is over.

For two decades, Progent has provided expert Information Technology services for businesses in Seattle and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience affords Progent the skills to efficiently determine important systems and organize the remaining parts of your computer network environment after a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's recovery team utilizes top notch project management applications to orchestrate the complex restoration process. Progent knows the importance of working rapidly and in unison with a customer's management and IT team members to assign priority to tasks and to get the most important applications back on line as fast as possible.

Customer Case Study: A Successful Ransomware Penetration Restoration
A customer escalated to Progent after their company was brought down by Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean state hackers, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk targets specific companies with little or no room for disruption and is among the most lucrative incarnations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago and has about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately brought in Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most critical period of (our) businesses life. We would have paid the cyber criminals if not for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and key servers back online faster than five days was something I thought impossible. Every single expert I worked with or communicated with at Progent was urgently focused on getting us back on-line and was working breakneck pace on our behalf."

Progent worked with the customer to rapidly get our arms around and assign priority to the essential elements that had to be recovered in order to resume business operations:

  • Active Directory (AD)
  • Exchange Server
  • Accounting/MRP
To start, Progent adhered to Anti-virus event response industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the steps of rebuilding Windows Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not work without Windows AD, and the customer's accounting and MRP system used Microsoft SQL, which depends on Windows AD for security authorization to the information.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated reinstallations and hard drive recovery on needed systems. All Exchange data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST data files (Outlook Offline Data Files) on various PCs in order to recover email data. A not too old off-line backup of the client's accounting/MRP software made them able to restore these required applications back online for users. Although major work was left to recover fully from the Ryuk event, critical systems were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."

Throughout the following few weeks critical milestones in the recovery process were made in close cooperation between Progent consultants and the client:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than four million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the user workstations were back into operation.

"So much of what occurred in the early hours is mostly a blur for me, but my management will not forget the countless hours all of the team accomplished to give us our business back. I've utilized Progent for at least 10 years, possibly more, and each time Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A possible business catastrophe was evaded by dedicated professionals, a wide spectrum of IT skills, and tight collaboration. Although in post mortem the ransomware attack detailed here should have been identified and prevented with advanced security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed security procedures for data protection and applying software patches, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we made it past the initial push. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Seattle a range of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation machine learning capability to detect zero-day strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to automate the complete threat progression including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products manage and track your backup operations and enable transparent backup and rapid recovery of vital files, applications, images, and virtual machines. ProSight DPS helps you avoid data loss caused by hardware failures, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or application glitches. Managed services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a further layer of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their networking hardware like routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating complex network management processes, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that require critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your assigned Progent consultant so any looming problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning tools to defend endpoints and servers and VMs against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and offers a single platform to manage the entire threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Desk: Call Center Managed Services
    Progent's Support Center managed services enable your IT group to outsource Help Desk services to Progent or split activity for support services seamlessly between your internal network support team and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a smooth supplement to your internal network support team. User interaction with the Service Desk, delivery of support services, problem escalation, trouble ticket generation and tracking, performance metrics, and maintenance of the support database are consistent regardless of whether issues are taken care of by your internal support staff, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and affordable alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information system. Besides optimizing the security and reliability of your IT network, Progent's patch management services permit your IT team to concentrate on line-of-business projects and activities that deliver the highest business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and enter your password you are requested to verify your identity on a unit that only you have and that is accessed using a separate network channel. A wide range of out-of-band devices can be utilized as this added means of authentication including an iPhone or Android or watch, a hardware token, a landline phone, etc. You can register several verification devices. To find out more about Duo identity authentication services, refer to Duo MFA two-factor authentication services.
For 24x7x365 Seattle Ransomware Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.