Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict harm. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more unnamed newcomers, not only encrypt on-line critical data but also infect all configured system protection mechanisms. Information synched to the cloud can also be ransomed. In a poorly designed data protection solution, it can make automated recovery impossible and effectively knocks the datacenter back to square one.

Recovering programs and information after a crypto-ransomware intrusion becomes a sprint against time as the victim fights to stop lateral movement, cleanup the ransomware, and resume mission-critical activity. Since crypto-ransomware requires time to move laterally, assaults are often sprung on weekends, when attacks tend to take longer to discover. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced response team.

Progent provides an assortment of services for securing enterprises from crypto-ransomware attacks. These include staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security appliances with artificial intelligence technology from SentinelOne to discover and quarantine zero-day cyber attacks intelligently. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the skills and perseverance to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
After a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the codes to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions. The alternative is to setup from scratch the critical elements of your Information Technology environment. Without access to full data backups, this calls for a broad range of skills, top notch project management, and the ability to work 24x7 until the task is finished.

For decades, Progent has offered certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly ascertain critical systems and integrate the surviving components of your computer network system after a crypto-ransomware attack and rebuild them into an operational network.

Progent's ransomware team of experts utilizes top notch project management applications to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and in concert with a customer's management and IT team members to assign priority to tasks and to get the most important services back on line as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Response
A business sought out Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little or no tolerance for operational disruption and is one of the most profitable iterations of ransomware viruses. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago with around 500 workers. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end engaged Progent.


"I cannot say enough in regards to the support Progent provided us during the most critical period of (our) company's existence. We most likely would have paid the criminal gangs except for the confidence the Progent team afforded us. The fact that you could get our messaging and important servers back online in less than seven days was beyond my wildest dreams. Each staff member I interacted with or communicated with at Progent was laser focused on getting us back online and was working day and night to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the mission critical applications that needed to be recovered to make it possible to restart departmental operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by isolating and removing active viruses. Progent then initiated the process of restoring Windows Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Active Directory, and the client's accounting and MRP applications used Microsoft SQL, which requires Active Directory for authentication to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery on needed systems. All Exchange schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops to recover email messages. A recent off-line backup of the businesses manufacturing systems made it possible to return these required applications back online. Although a large amount of work still had to be done to recover completely from the Ryuk virus, essential services were recovered quickly:


"For the most part, the assembly line operation was never shut down and we made all customer orders."

During the following month critical milestones in the restoration project were achieved through tight cooperation between Progent engineers and the client:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were 100% functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the user PCs were being used by staff.

"Much of what happened in the initial days is mostly a blur for me, but my management will not soon forget the countless hours each and every one of you accomplished to help get our business back. I've been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This event was a life saver."

Conclusion
A probable enterprise-killing disaster was averted due to hard-working experts, a wide array of IT skills, and close collaboration. Although in retrospect the ransomware incident detailed here should have been identified and blocked with up-to-date cyber security solutions and recognized best practices, user and IT administrator education, and appropriate incident response procedures for backup and applying software patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), I'm grateful for allowing me to get rested after we made it past the most critical parts. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Edmonton a range of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services include modern machine learning technology to detect new strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your Progent engineering consultant so that any looming issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, enhance and debug their networking appliances such as routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when issues are discovered. By automating tedious network management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, locating appliances that need critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time reporting tools designed to work with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup/restore software companies to produce ProSight Data Protection Services, a portfolio of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup processes and enable transparent backup and fast recovery of critical files/folders, applications, system images, plus virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or application glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver centralized management and world-class protection for all your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo enables one-tap identity verification with iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a protected application and give your password you are requested to confirm who you are via a unit that only you have and that uses a different network channel. A broad selection of devices can be used as this second form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple verification devices. To find out more about Duo identity authentication services, go to Duo MFA two-factor authentication services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Call Desk services allow your IT staff to outsource Support Desk services to Progent or divide responsibilities for support services seamlessly between your internal network support resources and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth supplement to your corporate support group. User interaction with the Service Desk, provision of technical assistance, escalation, ticket creation and updates, performance metrics, and management of the support database are consistent regardless of whether issues are resolved by your internal IT support resources, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Desk services.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior analysis tools to guard endpoint devices and servers and VMs against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-based anti-virus products. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to automate the entire malware attack progression including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save up to 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving information network. Besides optimizing the security and functionality of your IT network, Progent's patch management services allow your in-house IT team to concentrate on more strategic projects and activities that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to address the entire malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies incorporated within one agent accessible from a unified console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that addresses your company's specific needs and that allows you prove compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
For Edmonton 24x7x365 Crypto Remediation Help, contact Progent at 800-462-8800 or go to Contact Progent.