Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that represents an enterprise-level threat for businesses unprepared for an attack. Different versions of ransomware like the Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional as yet unnamed viruses, not only encrypt online critical data but also infect most configured system protection. Files replicated to the cloud can also be rendered useless. In a poorly architected environment, it can make automated restoration useless and effectively sets the network back to square one.

Restoring services and data following a ransomware intrusion becomes a race against the clock as the victim tries its best to stop the spread and remove the virus and to resume business-critical activity. Because ransomware requires time to spread, attacks are often sprung at night, when successful penetrations in many cases take longer to notice. This compounds the difficulty of promptly marshalling and organizing a qualified response team.

Progent has an assortment of services for protecting businesses from ransomware events. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and extinguish new cyber attacks rapidly. Progent also offers the assistance of experienced crypto-ransomware recovery engineers with the talent and commitment to re-deploy a breached environment as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed keys to decipher all your files. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the vital components of your IT environment. Absent the availability of complete information backups, this requires a wide range of IT skills, well-coordinated project management, and the capability to work 24x7 until the job is completed.

For decades, Progent has made available professional Information Technology services for businesses in Durham and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise affords Progent the ability to knowledgably understand important systems and consolidate the surviving pieces of your network system following a ransomware event and assemble them into an operational system.

Progent's ransomware group uses state-of-the-art project management tools to orchestrate the complex restoration process. Progent knows the importance of acting rapidly and in unison with a customer�s management and IT resources to assign priority to tasks and to get critical systems back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Attack Restoration
A customer contacted Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, possibly adopting techniques leaked from America�s NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is among the most lucrative examples of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago and has about 500 employees. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the intrusion and were encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I can�t speak enough about the help Progent gave us throughout the most fearful time of (our) company�s survival. We may have had to pay the Hackers if it wasn�t for the confidence the Progent group gave us. The fact that you were able to get our e-mail and critical applications back on-line sooner than 1 week was beyond my wildest dreams. Each consultant I talked with or texted at Progent was amazingly focused on getting us working again and was working 24/7 on our behalf."

Progent worked together with the customer to quickly get our arms around and assign priority to the critical areas that needed to be recovered to make it possible to restart departmental functions:

  • Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed ransomware penetration mitigation industry best practices by stopping the spread and clearing infected systems. Progent then started the task of restoring Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the client's financials and MRP applications utilized Microsoft SQL, which needs Windows AD for access to the databases.

Within 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then accomplished rebuilding and hard drive recovery of mission critical applications. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Microsoft Outlook Offline Data Files) on staff workstations in order to recover mail data. A not too old off-line backup of the businesses accounting/MRP software made them able to restore these required programs back online. Although a lot of work was left to recover fully from the Ryuk virus, core services were returned to operations quickly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer shipments."

Over the next few weeks important milestones in the recovery project were completed through close cooperation between Progent engineers and the client:

  • Internal web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control functions were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user workstations were operational.

"Much of what happened in the early hours is nearly entirely a blur for me, but my team will not forget the commitment each and every one of you put in to give us our business back. I have been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This event was a life saver."

Conclusion
A likely business disaster was dodged by dedicated experts, a broad range of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware incident described here would have been identified and stopped with up-to-date cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for information backup and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), I�m grateful for allowing me to get some sleep after we made it past the first week. Everyone did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Durham a range of remote monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence technology to detect zero-day strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to manage the complete malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering via cutting-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you prove compliance with government and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup software providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and allow transparent backup and fast restoration of critical files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide centralized management and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, enhance and debug their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are kept current, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your network running efficiently by checking the state of critical computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT staff and your Progent consultant so any potential problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information about your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis technology to defend endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based AV tools. Progent ASM services protect on-premises and cloud resources and provides a unified platform to automate the entire threat progression including filtering, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Support Center managed services permit your information technology team to outsource Support Desk services to Progent or split responsibilities for Help Desk services seamlessly between your in-house support resources and Progent's nationwide roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless supplement to your internal IT support staff. User access to the Help Desk, provision of support, escalation, ticket generation and updates, efficiency metrics, and management of the support database are cohesive regardless of whether issues are taken care of by your core IT support resources, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide businesses of all sizes a versatile and affordable alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the security and reliability of your computer environment, Progent's patch management services free up time for your in-house IT team to concentrate on more strategic initiatives and activities that derive maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a protected application and enter your password you are requested to verify who you are via a unit that only you have and that uses a separate network channel. A wide range of devices can be used as this second form of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may designate several verification devices. For more information about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.
For 24/7 Durham Crypto Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.