Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses vulnerable to an assault. Different iterations of ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause damage. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus daily as yet unnamed malware, not only encrypt online data files but also infiltrate any accessible system backup. Information synched to cloud environments can also be encrypted. In a poorly designed environment, this can render automatic restoration hopeless and effectively knocks the network back to square one.

Recovering applications and data after a crypto-ransomware event becomes a sprint against the clock as the victim struggles to contain and cleanup the ransomware and to restore enterprise-critical activity. Because ransomware takes time to spread, penetrations are often launched during nights and weekends, when penetrations are likely to take longer to notice. This multiplies the difficulty of quickly assembling and coordinating an experienced mitigation team.

Progent has a variety of help services for protecting businesses from ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with AI technology from SentinelOne to detect and suppress new threats intelligently. Progent in addition can provide the assistance of veteran crypto-ransomware recovery professionals with the skills and perseverance to rebuild a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
After a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the codes to decipher all your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the essential components of your Information Technology environment. Absent access to essential system backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the task is over.

For twenty years, Progent has provided expert Information Technology services for companies in Durham and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top certifications in key technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise provides Progent the ability to quickly identify critical systems and integrate the surviving components of your Information Technology environment after a ransomware event and configure them into an operational network.

Progent's recovery team has top notch project management tools to orchestrate the complex restoration process. Progent knows the importance of working swiftly and in concert with a client's management and Information Technology resources to prioritize tasks and to put essential services back online as fast as possible.

Business Case Study: A Successful Ransomware Attack Recovery
A client contacted Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state sponsored cybercriminals, possibly using technology leaked from America's National Security Agency. Ryuk targets specific businesses with limited ability to sustain operational disruption and is one of the most profitable examples of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk event had disabled all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately brought in Progent.


"I cannot tell you enough about the care Progent gave us throughout the most stressful period of (our) businesses existence. We had little choice but to pay the criminal gangs except for the confidence the Progent group gave us. The fact that you could get our messaging and production servers back into operation quicker than one week was earth shattering. Every single expert I talked with or communicated with at Progent was laser focused on getting us working again and was working 24/7 to bail us out."

Progent worked together with the client to quickly understand and prioritize the key services that needed to be recovered in order to restart departmental operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting/MRP
To get going, Progent followed Anti-virus event mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then started the task of rebuilding Microsoft AD, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the client's financials and MRP applications used SQL Server, which requires Active Directory services for access to the database.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then performed reinstallations and storage recovery of critical systems. All Microsoft Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Offline Data Files) on various PCs and laptops to recover mail information. A recent offline backup of the businesses accounting/MRP software made it possible to recover these essential applications back on-line. Although major work was left to recover fully from the Ryuk attack, core systems were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we did not miss any customer orders."

Over the next couple of weeks critical milestones in the recovery project were completed in close collaboration between Progent team members and the client:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Exchange Server containing more than four million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user PCs were fully operational.

"A huge amount of what occurred that first week is nearly entirely a blur for me, but our team will not forget the countless hours each of you accomplished to give us our company back. I've entrusted Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A probable business disaster was evaded through the efforts of hard-working experts, a broad array of IT skills, and close collaboration. Although in hindsight the crypto-ransomware incident detailed here should have been stopped with current cyber security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), I'm grateful for allowing me to get some sleep after we got past the initial fire. Everyone did an amazing effort, and if anyone is in the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Durham a range of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day variants of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. ProSight ASM safeguards local and cloud resources and offers a unified platform to address the entire malware attack lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you prove compliance with government and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and allow non-disruptive backup and rapid recovery of critical files, applications, system images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious insiders, or application glitches. Managed backup services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of analysis for inbound email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating complex management activities, WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating appliances that need critical software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management personnel and your Progent engineering consultant so that all potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based analysis technology to defend endpoints and servers and VMs against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based AV products. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to manage the complete threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Call Center managed services permit your IT team to outsource Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal network support staff and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent extension of your corporate support team. Client interaction with the Service Desk, provision of technical assistance, problem escalation, trouble ticket creation and tracking, efficiency measurement, and management of the service database are cohesive whether issues are taken care of by your corporate network support organization, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of any size a versatile and affordable solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. Besides maximizing the security and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT team to focus on more strategic projects and tasks that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Google Android, and other personal devices. With 2FA, whenever you sign into a protected application and enter your password you are asked to verify who you are via a unit that only you possess and that is accessed using a separate network channel. A broad range of out-of-band devices can be used as this second means of ID validation including a smartphone or watch, a hardware token, a landline phone, etc. You may register several verification devices. For more information about Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time management reporting plug-ins created to integrate with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24-Hour Durham Crypto Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.