Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause destruction. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with frequent as yet unnamed viruses, not only do encryption of on-line data but also infect any accessible system backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can make any restore operations useless and basically knocks the datacenter back to square one.

Getting back online applications and data after a crypto-ransomware attack becomes a race against the clock as the victim struggles to contain and clear the ransomware and to restore mission-critical activity. Since ransomware requires time to spread, penetrations are frequently launched on weekends, when successful penetrations typically take longer to notice. This multiplies the difficulty of rapidly assembling and coordinating a capable response team.

Progent makes available a range of solutions for securing organizations from ransomware events. Among these are user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with machine learning capabilities from SentinelOne to detect and disable zero-day threats rapidly. Progent also can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to re-deploy a breached system as urgently as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the needed codes to decipher any of your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the critical components of your Information Technology environment. Absent access to full data backups, this calls for a wide range of skills, top notch project management, and the willingness to work 24x7 until the recovery project is completed.

For twenty years, Progent has provided professional IT services for businesses in El Paso and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience affords Progent the skills to rapidly understand important systems and re-organize the remaining parts of your computer network system after a crypto-ransomware event and configure them into a functioning network.

Progent's security group deploys best of breed project management systems to coordinate the complex restoration process. Progent knows the urgency of acting quickly and together with a client's management and IT team members to prioritize tasks and to put critical applications back on line as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Recovery
A client engaged Progent after their network system was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state cybercriminals, suspected of using strategies leaked from America's National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is among the most lucrative instances of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago with about 500 employees. The Ryuk attack had shut down all business operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end utilized Progent.


"I cannot speak enough about the help Progent gave us during the most critical period of (our) businesses existence. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and production servers back on-line faster than 1 week was amazing. Each consultant I spoke to or e-mailed at Progent was totally committed on getting our company operational and was working all day and night on our behalf."

Progent worked together with the client to quickly identify and assign priority to the essential services that had to be addressed to make it possible to continue departmental functions:

  • Active Directory
  • Electronic Messaging
  • Accounting/MRP
To start, Progent followed AV/Malware Processes penetration mitigation best practices by halting the spread and performing virus removal steps. Progent then began the task of restoring Microsoft Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not work without AD, and the customer's financials and MRP system used Microsoft SQL, which requires Active Directory services for authentication to the information.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then initiated rebuilding and hard drive recovery on key systems. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect intact OST files (Outlook Off-Line Folder Files) on various PCs and laptops in order to recover email messages. A not too old offline backup of the businesses manufacturing software made it possible to recover these vital services back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk virus, essential systems were restored quickly:


"For the most part, the production operation did not miss a beat and we made all customer deliverables."

Throughout the next month key milestones in the recovery process were achieved through close collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Exchange Server with over four million archived messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were fully operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the desktop computers were being used by staff.

"A lot of what happened in the initial days is nearly entirely a blur for me, but my team will not forget the countless hours each and every one of your team put in to help get our business back. I've been working together with Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A probable company-ending catastrophe was evaded by top-tier professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus penetration described here should have been identified and stopped with modern security technology and NIST Cybersecurity Framework best practices, user education, and well designed security procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of professionals has extensive experience in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get some sleep after we got past the initial fire. All of you did an incredible job, and if anyone is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in El Paso a variety of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation machine learning technology to uncover new strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape traditional signature-based AV products. ProSight ASM protects local and cloud resources and offers a single platform to address the entire threat progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools packaged within a single agent accessible from a single control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your company's unique requirements and that allows you prove compliance with legal and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology providers to create ProSight Data Protection Services, a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup operations and enable non-disruptive backup and rapid restoration of critical files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, user error, ill-intentioned insiders, or application bugs. Managed services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver web-based control and world-class security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and debug their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, locating devices that require critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so any looming problems can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based analysis technology to defend endpoints and servers and VMs against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Call Center managed services enable your information technology group to outsource Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal network support team and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent extension of your corporate network support group. User interaction with the Service Desk, provision of support, issue escalation, ticket generation and tracking, efficiency measurement, and management of the support database are consistent regardless of whether issues are taken care of by your core network support organization, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to concentrate on line-of-business projects and activities that derive the highest business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo enables one-tap identity verification with Apple iOS, Android, and other personal devices. With 2FA, when you sign into a secured application and give your password you are asked to confirm who you are on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized as this second means of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can designate several verification devices. To find out more about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of in-depth management reporting utilities created to integrate with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For El Paso 24/7 Ransomware Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.