Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that represents an existential danger for businesses unprepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to inflict damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as daily unnamed viruses, not only encrypt on-line critical data but also infiltrate any available system restores and backups. Files synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, this can render any recovery impossible and effectively sets the entire system back to zero.

Retrieving applications and data after a crypto-ransomware outage becomes a race against time as the victim tries its best to contain and clear the crypto-ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to replicate, assaults are usually sprung during nights and weekends, when attacks typically take longer to detect. This multiplies the difficulty of promptly mobilizing and orchestrating a qualified mitigation team.

Progent has an assortment of solutions for protecting organizations from ransomware events. Among these are staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to detect and disable zero-day threats rapidly. Progent in addition can provide the services of veteran ransomware recovery professionals with the talent and commitment to reconstruct a breached environment as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the needed codes to decrypt any of your information. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent access to full data backups, this calls for a broad range of IT skills, professional team management, and the willingness to work non-stop until the job is over.

For two decades, Progent has provided certified expert IT services for businesses in St. Louis and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the ability to knowledgably identify necessary systems and re-organize the surviving components of your IT environment after a crypto-ransomware attack and configure them into a functioning system.

Progent's ransomware team uses best of breed project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting rapidly and together with a client's management and IT team members to prioritize tasks and to put critical applications back on-line as fast as possible.

Customer Story: A Successful Ransomware Attack Response
A business contacted Progent after their network was penetrated by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state hackers, possibly using technology exposed from America's National Security Agency. Ryuk seeks specific businesses with little or no room for disruption and is among the most profitable iterations of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with about 500 employees. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom (more than $200,000) and praying for good luck, but in the end utilized Progent.


"I can't tell you enough about the help Progent gave us during the most critical time of (our) company's life. We may have had to pay the hackers behind this attack if not for the confidence the Progent team afforded us. That you could get our messaging and important servers back sooner than one week was amazing. Each expert I got help from or texted at Progent was totally committed on getting our system up and was working all day and night on our behalf."

Progent worked with the customer to rapidly determine and assign priority to the mission critical elements that needed to be recovered to make it possible to resume company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting/MRP
To begin, Progent followed Anti-virus incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then initiated the task of restoring Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the customer's financials and MRP system leveraged Microsoft SQL Server, which depends on Windows AD for authentication to the database.

In less than 48 hours, Progent was able to restore Active Directory to its pre-intrusion state. Progent then helped perform setup and hard drive recovery on mission critical systems. All Microsoft Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on staff workstations and laptops in order to recover mail data. A recent off-line backup of the businesses accounting systems made them able to recover these essential programs back online. Although major work remained to recover completely from the Ryuk damage, core services were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer orders."

Over the following couple of weeks key milestones in the recovery process were completed through close cooperation between Progent team members and the customer:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Exchange Server with over 4 million historical messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Most of the user workstations were fully operational.

"A huge amount of what went on those first few days is nearly entirely a haze for me, but I will not soon forget the dedication each and every one of the team put in to give us our company back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A potential business catastrophe was avoided through the efforts of top-tier experts, a broad spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus incident described here would have been identified and stopped with up-to-date cyber security technology and recognized best practices, staff education, and properly executed security procedures for information protection and proper patching controls, the fact is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for allowing me to get some sleep after we made it through the initial fire. Everyone did an impressive effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in St. Louis a variety of remote monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services include next-generation machine learning technology to uncover zero-day strains of crypto-ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a single platform to manage the complete malware attack progression including filtering, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you prove compliance with legal and industry information protection standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also help your company to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services, a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your backup processes and allow transparent backup and rapid restoration of important files, applications, images, plus virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security vendors to deliver centralized control and comprehensive security for your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, track, enhance and debug their networking appliances like routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always current, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that require critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT personnel and your Progent consultant so all potential problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Since the system is virtualized, it can be ported easily to a different hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis technology to guard endpoints as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. Progent Active Security Monitoring services protect local and cloud resources and offers a single platform to address the entire threat progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Desk managed services enable your information technology staff to outsource Support Desk services to Progent or divide activity for Service Desk support transparently between your in-house network support staff and Progent's extensive pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a transparent supplement to your in-house IT support staff. End user interaction with the Help Desk, delivery of support services, escalation, ticket creation and updates, efficiency measurement, and management of the service database are consistent whether incidents are taken care of by your corporate IT support organization, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. Besides maximizing the security and functionality of your IT network, Progent's patch management services permit your IT team to concentrate on line-of-business initiatives and activities that derive the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. With 2FA, when you log into a protected application and enter your password you are requested to verify who you are via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this added means of authentication such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. To learn more about Duo identity validation services, go to Cisco Duo MFA two-factor authentication services.
For 24x7 St. Louis Crypto-Ransomware Repair Support Services, contact Progent at 800-462-8800 or go to Contact Progent.