Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for organizations unprepared for an assault. Different versions of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause havoc. Recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with additional as yet unnamed viruses, not only encrypt online information but also infect many available system backups. Files synchronized to cloud environments can also be rendered useless. In a poorly designed data protection solution, this can render automated restore operations useless and effectively knocks the network back to zero.

Getting back online services and information after a ransomware attack becomes a sprint against time as the targeted business tries its best to contain the damage and remove the ransomware and to restore enterprise-critical operations. Because crypto-ransomware needs time to replicate, assaults are often sprung on weekends, when successful penetrations typically take longer to identify. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.

Progent has an assortment of solutions for securing organizations from ransomware events. Among these are team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with AI technology from SentinelOne to detect and extinguish new cyber attacks rapidly. Progent also offers the assistance of veteran crypto-ransomware recovery engineers with the track record and commitment to reconstruct a breached network as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware attack, paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the codes to unencrypt all your files. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the essential elements of your IT environment. Absent access to complete information backups, this calls for a wide range of skills, top notch project management, and the ability to work continuously until the task is finished.

For twenty years, Progent has offered expert Information Technology services for businesses in Austin and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise gives Progent the ability to quickly ascertain critical systems and re-organize the surviving parts of your IT environment after a crypto-ransomware event and rebuild them into an operational network.

Progent's ransomware group has state-of-the-art project management applications to coordinate the complex restoration process. Progent understands the importance of acting rapidly and together with a customer�s management and IT staff to assign priority to tasks and to get critical services back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A client sought out Progent after their company was brought down by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored hackers, suspected of adopting approaches exposed from America�s NSA organization. Ryuk targets specific organizations with little or no tolerance for disruption and is among the most profitable instances of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with around 500 staff members. The Ryuk event had brought down all company operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were damaged. The client was evaluating paying the ransom (more than $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.


"I can�t say enough about the support Progent gave us during the most critical period of (our) businesses survival. We had little choice but to pay the criminal gangs if it wasn�t for the confidence the Progent team gave us. The fact that you could get our e-mail and essential servers back into operation quicker than seven days was incredible. Each expert I worked with or texted at Progent was hell bent on getting us working again and was working 24/7 to bail us out."

Progent worked hand in hand the customer to quickly understand and prioritize the most important applications that had to be restored in order to continue business operations:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent adhered to ransomware event response best practices by halting lateral movement and removing active viruses. Progent then began the process of bringing back online Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the businesses� MRP system used SQL Server, which depends on Active Directory services for authentication to the database.

Within two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery of needed servers. All Microsoft Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on user workstations and laptops to recover mail information. A recent off-line backup of the businesses accounting/MRP software made them able to restore these essential applications back online. Although a large amount of work was left to recover completely from the Ryuk damage, essential systems were recovered rapidly:


"For the most part, the assembly line operation survived unscathed and we made all customer deliverables."

Throughout the next month important milestones in the restoration project were achieved through close collaboration between Progent team members and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than four million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user PCs were fully operational.

"A huge amount of what happened in the early hours is mostly a fog for me, but I will not soon forget the urgency all of the team put in to give us our company back. I�ve been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A likely business-ending disaster was avoided through the efforts of results-oriented professionals, a wide array of IT skills, and close teamwork. Although in post mortem the ransomware penetration described here could have been prevented with up-to-date security systems and recognized best practices, team training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I�m grateful for making it so I could get rested after we made it through the initial fire. Everyone did an fabulous job, and if any of your team is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Austin a variety of online monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to automate the entire threat progression including protection, identification, containment, remediation, and forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore software companies to create ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and allow transparent backup and rapid recovery of important files, applications, system images, plus virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, malicious employees, or software glitches. Managed services in the ProSight DPS product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to deliver centralized control and comprehensive security for your email traffic. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progents ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, track, enhance and troubleshoot their networking appliances like switches, firewalls, and load balancers plus servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating complex management and troubleshooting activities, WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding devices that require important updates, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring service that uses advanced remote monitoring and management technology to help keep your IT system running at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT management staff and your Progent engineering consultant so all potential issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior analysis technology to defend endpoint devices and servers and VMs against modern malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to automate the complete malware attack progression including filtering, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Desk: Support Desk Managed Services
    Progent's Help Center services permit your IT staff to offload Call Center services to Progent or split responsibilities for support services transparently between your in-house network support team and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Shared Service Desk provides a transparent supplement to your corporate support staff. User interaction with the Service Desk, delivery of support, issue escalation, trouble ticket creation and tracking, performance metrics, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your internal network support resources, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide organizations of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and documenting updates to your dynamic information system. In addition to maximizing the protection and reliability of your IT network, Progent's patch management services free up time for your in-house IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and enter your password you are requested to confirm who you are on a device that only you possess and that uses a different network channel. A wide selection of out-of-band devices can be used for this added form of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register multiple verification devices. For details about Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
For Austin 24/7 Crypto Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.