Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that represents an extinction-level threat for organizations vulnerable to an attack. Versions of crypto-ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still cause havoc. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus more as yet unnamed newcomers, not only encrypt online critical data but also infiltrate all available system backup. Files synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed system, this can make automatic restore operations hopeless and effectively knocks the network back to zero.

Getting back on-line services and information after a crypto-ransomware attack becomes a race against the clock as the victim struggles to stop lateral movement and eradicate the crypto-ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware takes time to replicate, attacks are usually launched during weekends and nights, when penetrations tend to take more time to uncover. This multiplies the difficulty of quickly marshalling and coordinating a qualified mitigation team.

Progent has a variety of support services for protecting organizations from ransomware events. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with AI capabilities from SentinelOne to identify and quarantine new cyber attacks automatically. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the skills and perseverance to reconstruct a compromised network as soon as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the keys to decipher all your files. Kaspersky determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the mission-critical parts of your IT environment. Without the availability of full system backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work 24x7 until the task is over.

For two decades, Progent has offered certified expert Information Technology services for businesses in Austin and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience provides Progent the ability to quickly identify necessary systems and re-organize the surviving components of your network environment following a ransomware attack and configure them into an operational network.

Progent's security team uses powerful project management systems to coordinate the complex restoration process. Progent appreciates the urgency of acting quickly and in unison with a client's management and Information Technology staff to prioritize tasks and to get the most important services back on-line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Attack Recovery
A small business hired Progent after their network was crashed by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state criminal gangs, possibly adopting algorithms exposed from the U.S. NSA organization. Ryuk seeks specific businesses with little or no tolerance for disruption and is one of the most profitable examples of ransomware viruses. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's backups had been on-line at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.


"I cannot say enough about the help Progent provided us during the most critical period of (our) businesses existence. We would have paid the cybercriminals except for the confidence the Progent team provided us. The fact that you could get our e-mail system and critical servers back on-line faster than 1 week was earth shattering. Each consultant I got help from or communicated with at Progent was laser focused on getting us restored and was working all day and night on our behalf."

Progent worked with the customer to rapidly understand and prioritize the mission critical areas that had to be addressed to make it possible to restart departmental functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus incident response industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the work of bringing back online Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without AD, and the client's financials and MRP system utilized SQL Server, which needs Active Directory services for authentication to the database.

Within two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then helped perform setup and hard drive recovery on essential applications. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find local OST data files (Microsoft Outlook Off-Line Folder Files) on various PCs and laptops in order to recover email information. A recent off-line backup of the customer's accounting/MRP systems made it possible to recover these required applications back online for users. Although a lot of work was left to recover fully from the Ryuk damage, the most important systems were returned to operations rapidly:


"For the most part, the production manufacturing operation survived unscathed and we delivered all customer deliverables."

Over the next month critical milestones in the recovery process were completed in close collaboration between Progent consultants and the customer:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical emails was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • 90% of the desktops and laptops were back into operation.

"A huge amount of what went on those first few days is mostly a blur for me, but I will not forget the care each and every one of your team put in to help get our business back. I've been working together with Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A probable business extinction catastrophe was evaded through the efforts of dedicated experts, a wide spectrum of knowledge, and tight collaboration. Although in post mortem the ransomware incident detailed here should have been shut down with modern security technology and best practices, user education, and well designed security procedures for information backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for letting me get some sleep after we got past the initial fire. Everyone did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Austin a portfolio of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services utilize modern artificial intelligence technology to detect zero-day variants of ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the entire malware attack progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you prove compliance with government and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and allow transparent backup and fast restoration of vital files/folders, apps, system images, and virtual machines. ProSight DPS helps your business protect against data loss caused by equipment failures, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security companies to deliver web-based management and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their networking hardware such as routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating appliances that require critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that any potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior analysis technology to guard endpoint devices as well as servers and VMs against modern malware assaults like ransomware and email phishing, which routinely get by traditional signature-matching AV tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to address the entire threat progression including blocking, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Support Center managed services permit your information technology staff to offload Help Desk services to Progent or split activity for Service Desk support seamlessly between your internal support team and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your internal support team. User interaction with the Help Desk, provision of technical assistance, issue escalation, trouble ticket generation and updates, performance metrics, and management of the support database are cohesive whether incidents are taken care of by your core support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of any size a versatile and affordable alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. In addition to maximizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your IT team to concentrate on more strategic projects and activities that deliver the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports single-tap identity verification on iOS, Google Android, and other personal devices. With 2FA, whenever you log into a secured online account and give your password you are requested to confirm your identity via a unit that only you possess and that is accessed using a separate network channel. A broad range of devices can be utilized for this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple validation devices. To find out more about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time reporting tools created to integrate with the industry's top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Austin Crypto Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.