Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with more as yet unnamed malware, not only encrypt on-line data files but also infiltrate most available system protection mechanisms. Information synchronized to cloud environments can also be corrupted. In a poorly architected system, it can make automatic restore operations useless and effectively knocks the network back to zero.

Restoring programs and information after a ransomware intrusion becomes a sprint against the clock as the targeted business struggles to contain and eradicate the crypto-ransomware and to restore enterprise-critical operations. Because ransomware takes time to move laterally, penetrations are often launched at night, when penetrations are likely to take longer to detect. This compounds the difficulty of promptly mobilizing and orchestrating an experienced mitigation team.

Progent provides an assortment of support services for securing organizations from ransomware penetrations. These include user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security gateways with artificial intelligence technology from SentinelOne to discover and suppress new threats automatically. Progent also can provide the services of expert ransomware recovery engineers with the talent and commitment to rebuild a breached network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decrypt any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the mission-critical parts of your IT environment. Absent the availability of complete information backups, this requires a wide range of IT skills, top notch team management, and the ability to work continuously until the task is complete.

For two decades, Progent has offered professional Information Technology services for businesses in El Paso and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the capability to efficiently understand important systems and organize the remaining parts of your computer network environment following a ransomware penetration and assemble them into an operational system.

Progent's ransomware team uses state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent knows the urgency of working quickly and in concert with a client's management and IT team members to prioritize tasks and to get critical applications back online as soon as possible.

Customer Story: A Successful Ransomware Incident Restoration
A business engaged Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly using algorithms leaked from America�s National Security Agency. Ryuk attacks specific organizations with little tolerance for operational disruption and is one of the most lucrative iterations of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately utilized Progent.


"I cannot say enough about the care Progent provided us throughout the most stressful time of (our) company�s existence. We may have had to pay the criminal gangs except for the confidence the Progent team afforded us. That you were able to get our messaging and essential applications back sooner than five days was beyond my wildest dreams. Each expert I interacted with or texted at Progent was amazingly focused on getting our company operational and was working non-stop to bail us out."

Progent worked with the customer to quickly get our arms around and prioritize the most important elements that needed to be recovered in order to continue business operations:

  • Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent adhered to Anti-virus event response industry best practices by halting lateral movement and clearing infected systems. Progent then started the process of bringing back online Microsoft AD, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the customer�s financials and MRP system used Microsoft SQL, which requires Active Directory services for authentication to the database.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then initiated setup and storage recovery of mission critical servers. All Exchange data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user workstations to recover mail information. A recent offline backup of the client's accounting/ERP software made it possible to recover these required programs back online for users. Although significant work remained to recover completely from the Ryuk damage, the most important systems were restored quickly:


"For the most part, the production operation showed little impact and we did not miss any customer deliverables."

Over the following few weeks key milestones in the restoration process were accomplished in tight collaboration between Progent team members and the customer:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Server exceeding 4 million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were completely recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Ninety percent of the user desktops were fully operational.

"A huge amount of what happened during the initial response is nearly entirely a fog for me, but my team will not soon forget the commitment each of you put in to help get our company back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered. This situation was a Herculean accomplishment."

Conclusion
A potential enterprise-killing catastrophe was avoided with hard-working experts, a broad array of IT skills, and close teamwork. Although in retrospect the ransomware incident detailed here should have been blocked with modern cyber security solutions and ISO/IEC 27001 best practices, staff education, and appropriate security procedures for data backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), I�m grateful for allowing me to get some sleep after we got through the first week. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in El Paso a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover zero-day variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to address the complete malware attack lifecycle including protection, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your company's specific requirements and that allows you prove compliance with legal and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup software providers to create ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and track your backup operations and enable non-disruptive backup and fast restoration of important files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, user error, ill-intentioned employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security vendors to provide web-based control and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper level of analysis for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and debug their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are kept current, copies and manages the configuration of virtually all devices on your network, monitors performance, and sends alerts when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, locating appliances that require critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network operating efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT personnel and your Progent engineering consultant so that any potential problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youre making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based machine learning tools to defend endpoints as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily evade legacy signature-based AV products. Progent ASM services safeguard local and cloud resources and provides a unified platform to manage the complete threat progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Call Desk managed services permit your IT team to offload Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house support resources and Progent's extensive pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your core IT support organization. Client interaction with the Help Desk, provision of support services, issue escalation, ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent whether incidents are taken care of by your corporate network support staff, by Progent, or by a combination. Learn more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking updates to your ever-evolving information network. Besides optimizing the security and functionality of your IT environment, Progent's software/firmware update management services permit your in-house IT team to concentrate on line-of-business initiatives and activities that deliver maximum business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity verification on iOS, Google Android, and other out-of-band devices. Using 2FA, when you log into a protected application and give your password you are requested to verify your identity on a device that only you possess and that uses a different network channel. A wide selection of out-of-band devices can be utilized for this added means of ID validation such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. To learn more about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services for access security.
For 24x7 El Paso Crypto-Ransomware Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.