Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that poses an existential threat for organizations vulnerable to an attack. Versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and still inflict destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus frequent as yet unnamed malware, not only encrypt online files but also infect many accessible system backups. Files synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can make any restoration hopeless and effectively knocks the datacenter back to square one.

Getting back on-line services and information following a ransomware intrusion becomes a sprint against time as the victim fights to contain the damage and eradicate the crypto-ransomware and to resume business-critical activity. Because crypto-ransomware requires time to spread, assaults are frequently launched during nights and weekends, when successful attacks in many cases take more time to uncover. This compounds the difficulty of quickly marshalling and organizing an experienced response team.

Progent makes available a range of services for securing organizations from ransomware attacks. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with artificial intelligence technology from SentinelOne to detect and suppress new cyber attacks automatically. Progent also can provide the services of expert ransomware recovery engineers with the track record and perseverance to rebuild a compromised system as soon as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the codes to decrypt any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the vital parts of your Information Technology environment. Without access to essential system backups, this requires a wide complement of skill sets, professional project management, and the capability to work 24x7 until the job is done.

For twenty years, Progent has made available certified expert IT services for businesses in Seattle and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of experience affords Progent the capability to efficiently identify important systems and re-organize the remaining parts of your computer network environment after a crypto-ransomware penetration and rebuild them into a functioning network.

Progent's ransomware group has best of breed project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of working rapidly and in concert with a customer's management and Information Technology resources to prioritize tasks and to get critical services back on-line as soon as humanly possible.

Client Story: A Successful Ransomware Penetration Recovery
A small business escalated to Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, possibly using algorithms exposed from the United States National Security Agency. Ryuk attacks specific organizations with limited tolerance for disruption and is one of the most profitable incarnations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately reached out to Progent.


"I can't speak enough about the help Progent gave us during the most stressful time of (our) businesses existence. We most likely would have paid the Hackers if it wasn't for the confidence the Progent team afforded us. That you were able to get our e-mail and production applications back on-line in less than seven days was beyond my wildest dreams. Each person I got help from or texted at Progent was laser focused on getting us operational and was working at all hours on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the key applications that needed to be restored in order to resume departmental operations:

  • Active Directory (AD)
  • Electronic Messaging
  • MRP System
To begin, Progent adhered to ransomware penetration response best practices by halting lateral movement and disinfecting systems. Progent then began the process of restoring Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's MRP software leveraged Microsoft SQL, which depends on Windows AD for access to the information.

Within 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery on needed servers. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Email Offline Folder Files) on staff workstations in order to recover mail messages. A not too old off-line backup of the businesses manufacturing software made it possible to recover these vital programs back online. Although a lot of work was left to recover totally from the Ryuk damage, essential services were recovered quickly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer orders."

During the next few weeks important milestones in the restoration project were completed in close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over four million historical emails was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were fully functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user workstations were being used by staff.

"A lot of what transpired in the early hours is mostly a haze for me, but my management will not forget the commitment each and every one of the team put in to help get our company back. I have trusted Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business extinction catastrophe was averted by hard-working experts, a broad spectrum of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here could have been disabled with current security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well thought out incident response procedures for data backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for letting me get rested after we made it over the initial fire. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Seattle a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect zero-day strains of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to address the entire threat progression including filtering, infiltration detection, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP deployment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent can also assist your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and fast restoration of vital files, applications, images, and virtual machines. ProSight DPS lets your business recover from data loss caused by hardware failures, natural calamities, fire, malware such as ransomware, human mistakes, malicious employees, or software glitches. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to provide centralized control and world-class security for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, optimize and troubleshoot their networking hardware like routers, firewalls, and access points plus servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that network maps are kept current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating devices that require critical software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis tools to defend endpoints as well as physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Call Desk services allow your information technology team to outsource Help Desk services to Progent or divide responsibilities for support services transparently between your in-house support resources and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth extension of your core support organization. End user interaction with the Help Desk, delivery of support, escalation, trouble ticket creation and updates, efficiency metrics, and management of the service database are consistent regardless of whether issues are resolved by your core network support organization, by Progent, or both. Find out more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a flexible and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving information system. Besides maximizing the security and functionality of your computer network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business projects and activities that deliver maximum business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a secured online account and enter your password you are requested to verify who you are on a device that only you have and that uses a different ("out-of-band") network channel. A broad selection of devices can be used for this second form of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate multiple verification devices. For details about ProSight Duo identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of in-depth reporting plug-ins designed to work with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Seattle Crypto-Ransomware Removal Help, contact Progent at 800-462-8800 or go to Contact Progent.