Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that presents an extinction-level threat for organizations vulnerable to an attack. Multiple generations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict harm. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with daily unnamed viruses, not only do encryption of on-line data files but also infect many configured system backups. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, this can render automatic restoration impossible and effectively knocks the datacenter back to zero.

Restoring programs and data after a ransomware attack becomes a race against the clock as the targeted organization struggles to contain the damage and cleanup the ransomware and to restore enterprise-critical operations. Since ransomware needs time to spread, penetrations are frequently launched on weekends and holidays, when attacks in many cases take more time to uncover. This multiplies the difficulty of promptly assembling and coordinating an experienced mitigation team.

Progent provides an assortment of help services for protecting enterprises from crypto-ransomware penetrations. Among these are user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security solutions with AI technology from SentinelOne to detect and suppress zero-day cyber threats quickly. Progent in addition offers the assistance of seasoned ransomware recovery professionals with the track record and commitment to restore a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the critical elements of your Information Technology environment. Without the availability of complete information backups, this requires a wide complement of IT skills, top notch team management, and the willingness to work 24x7 until the task is complete.

For two decades, Progent has offered professional IT services for businesses in Dallas and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience affords Progent the ability to rapidly identify necessary systems and organize the remaining pieces of your network environment after a crypto-ransomware penetration and assemble them into an operational network.

Progent's security group utilizes best of breed project management tools to orchestrate the complicated recovery process. Progent knows the importance of working quickly and together with a customer�s management and Information Technology resources to assign priority to tasks and to get key applications back on-line as soon as humanly possible.

Client Story: A Successful Ransomware Incident Recovery
A customer engaged Progent after their network was attacked by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, possibly adopting strategies exposed from America�s National Security Agency. Ryuk attacks specific organizations with limited room for disruption and is one of the most lucrative examples of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but ultimately brought in Progent.


"I cannot thank you enough about the care Progent provided us throughout the most stressful period of (our) businesses existence. We most likely would have paid the criminal gangs if not for the confidence the Progent group afforded us. That you could get our messaging and production servers back on-line sooner than seven days was amazing. Each expert I talked with or e-mailed at Progent was hell bent on getting us back online and was working at all hours to bail us out."

Progent worked hand in hand the customer to quickly understand and prioritize the critical areas that had to be addressed to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes penetration mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then started the steps of bringing back online Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the customer�s accounting and MRP system leveraged Microsoft SQL Server, which needs Active Directory services for security authorization to the data.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then completed setup and storage recovery on essential systems. All Microsoft Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Offline Folder Files) on staff desktop computers in order to recover email data. A recent off-line backup of the customer�s financials/ERP software made them able to recover these required applications back servicing users. Although major work still had to be done to recover fully from the Ryuk virus, core systems were recovered quickly:


"For the most part, the production line operation did not miss a beat and we produced all customer orders."

Over the next few weeks key milestones in the restoration process were made through close cooperation between Progent team members and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than 4 million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were fully functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"So much of what occurred those first few days is mostly a fog for me, but my management will not forget the countless hours each of the team put in to give us our company back. I have been working with Progent for at least 10 years, possibly more, and each time Progent has shined and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible business-killing catastrophe was evaded due to results-oriented professionals, a wide spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack described here would have been prevented with modern security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well thought out security procedures for data backup and proper patching controls, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for making it so I could get rested after we made it over the first week. All of you did an amazing effort, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Dallas a portfolio of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day variants of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-based AV tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to manage the entire malware attack progression including blocking, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that helps you prove compliance with legal and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent's consultants can also assist you to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services, a portfolio of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and enable non-disruptive backup and fast restoration of critical files, apps, images, plus virtual machines. ProSight DPS helps you protect against data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, human error, malicious employees, or software glitches. Managed backup services in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to provide web-based management and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with a local gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, track, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are kept current, captures and manages the configuration of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding appliances that need important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network running at peak levels by checking the state of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT staff and your assigned Progent consultant so that all looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to defend endpoints and physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to address the complete malware attack progression including blocking, identification, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Support Center managed services enable your information technology group to outsource Call Center services to Progent or split responsibilities for Help Desk services seamlessly between your in-house support staff and Progent's nationwide pool of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a transparent supplement to your in-house IT support resources. User access to the Service Desk, provision of technical assistance, problem escalation, ticket generation and tracking, efficiency measurement, and management of the service database are consistent regardless of whether issues are resolved by your in-house network support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a versatile and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving IT network. In addition to maximizing the security and reliability of your computer network, Progent's patch management services allow your in-house IT team to concentrate on line-of-business initiatives and tasks that derive the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation with iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected application and enter your password you are asked to verify your identity via a device that only you possess and that uses a separate network channel. A wide range of out-of-band devices can be used as this added means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate several validation devices. For details about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.
For 24-7 Dallas Ransomware Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.