Ransomware : Your Worst IT Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyberplague that represents an enterprise-level threat for businesses poorly prepared for an attack. Multiple generations of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with frequent unnamed malware, not only do encryption of on-line files but also infiltrate most available system protection mechanisms. Files synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, this can render automatic recovery impossible and basically sets the datacenter back to square one.

Getting back on-line applications and information following a ransomware intrusion becomes a sprint against time as the targeted business tries its best to stop the spread and eradicate the crypto-ransomware and to resume business-critical activity. Because ransomware takes time to move laterally, penetrations are usually launched during nights and weekends, when successful penetrations tend to take longer to identify. This compounds the difficulty of rapidly marshalling and organizing a knowledgeable mitigation team.

Progent offers a variety of help services for securing enterprises from ransomware events. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security solutions with machine learning capabilities from SentinelOne to detect and quarantine day-zero cyber attacks quickly. Progent also can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to reconstruct a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed codes to decrypt all your data. Kaspersky determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the key elements of your IT environment. Absent the availability of full data backups, this calls for a wide range of IT skills, well-coordinated project management, and the willingness to work continuously until the task is complete.

For two decades, Progent has provided expert IT services for businesses in El Paso and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise gives Progent the ability to quickly understand important systems and consolidate the remaining pieces of your IT environment after a crypto-ransomware event and assemble them into an operational network.

Progent's recovery team deploys best of breed project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in concert with a client's management and IT staff to prioritize tasks and to put key applications back on-line as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A customer hired Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state hackers, possibly using technology exposed from America's National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain disruption and is one of the most lucrative examples of ransomware malware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's information backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and praying for the best, but ultimately reached out to Progent.


"I cannot tell you enough about the care Progent gave us throughout the most fearful time of (our) businesses life. We had little choice but to pay the criminal gangs if not for the confidence the Progent team afforded us. That you were able to get our e-mail system and production servers back on-line in less than seven days was amazing. Every single expert I spoke to or e-mailed at Progent was amazingly focused on getting my company operational and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly get our arms around and prioritize the essential areas that had to be addressed to make it possible to continue business functions:

  • Active Directory (AD)
  • Electronic Mail
  • MRP System
To get going, Progent followed AV/Malware Processes penetration response industry best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the work of bringing back online Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the businesses' MRP applications used Microsoft SQL Server, which needs Windows AD for security authorization to the data.

Within 48 hours, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then completed reinstallations and storage recovery on key servers. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Email Offline Folder Files) on staff workstations in order to recover mail data. A recent off-line backup of the client's accounting/ERP systems made them able to restore these required programs back servicing users. Although major work remained to recover fully from the Ryuk event, the most important services were restored rapidly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer shipments."

Over the following couple of weeks important milestones in the recovery process were accomplished in close collaboration between Progent engineers and the client:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Exchange Server containing more than 4 million archived emails was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were completely recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the desktop computers were back into operation.

"So much of what went on in the early hours is mostly a blur for me, but my management will not soon forget the dedication each of you accomplished to help get our business back. I've trusted Progent for the past 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A potential business-ending disaster was avoided through the efforts of dedicated experts, a wide spectrum of subject matter expertise, and tight collaboration. Although in retrospect the ransomware virus incident described here could have been prevented with advanced security solutions and security best practices, staff education, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get some sleep after we got through the first week. All of you did an impressive job, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in El Paso a variety of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate modern machine learning capability to detect zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to manage the entire malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that helps you prove compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology providers to create ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and allow non-disruptive backup and rapid recovery of critical files, applications, images, plus VMs. ProSight DPS helps your business recover from data loss caused by equipment breakdown, natural disasters, fire, malware like ransomware, user error, malicious insiders, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to provide web-based control and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, monitor, enhance and debug their networking appliances like routers, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding devices that need critical software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management staff and your assigned Progent consultant so that any potential problems can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to a different hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning tools to guard endpoints as well as servers and VMs against modern malware assaults like ransomware and email phishing, which routinely get by traditional signature-matching AV tools. Progent ASM services protect local and cloud resources and provides a single platform to manage the entire threat lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Support Desk services permit your IT staff to outsource Support Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support resources and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your core IT support staff. Client access to the Service Desk, delivery of support, escalation, ticket creation and tracking, efficiency measurement, and management of the support database are consistent regardless of whether incidents are taken care of by your in-house support group, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of any size a versatile and cost-effective solution for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. In addition to optimizing the security and functionality of your computer network, Progent's patch management services free up time for your in-house IT staff to concentrate on line-of-business initiatives and activities that derive the highest business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Android, and other personal devices. With 2FA, when you sign into a secured application and enter your password you are asked to confirm who you are via a unit that only you have and that is accessed using a separate network channel. A wide selection of devices can be utilized as this second means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple validation devices. For details about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.
For El Paso 24/7 Ransomware Cleanup Consulting, contact Progent at 800-462-8800 or go to Contact Progent.