Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses vulnerable to an assault. Versions of ransomware such as Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and still cause havoc. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as additional as yet unnamed malware, not only do encryption of online data files but also infiltrate many available system protection mechanisms. Data synched to the cloud can also be rendered useless. In a poorly architected data protection solution, this can make automatic restore operations hopeless and effectively knocks the datacenter back to square one.

Recovering services and information following a crypto-ransomware outage becomes a sprint against the clock as the victim fights to stop lateral movement and remove the ransomware and to resume mission-critical operations. Since crypto-ransomware takes time to move laterally, penetrations are usually launched during weekends and nights, when attacks in many cases take more time to detect. This multiplies the difficulty of quickly assembling and organizing a qualified response team.

Progent has an assortment of solutions for protecting organizations from crypto-ransomware penetrations. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence technology from SentinelOne to discover and extinguish zero-day threats quickly. Progent also offers the services of experienced ransomware recovery engineers with the track record and perseverance to re-deploy a breached system as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the keys to decrypt all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the key components of your Information Technology environment. Without the availability of full system backups, this requires a broad range of skills, top notch team management, and the capability to work continuously until the task is completed.

For twenty years, Progent has provided certified expert IT services for businesses in Garland and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the capability to rapidly ascertain necessary systems and organize the surviving pieces of your network environment following a crypto-ransomware event and rebuild them into a functioning network.

Progent's ransomware team of experts uses state-of-the-art project management applications to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and in unison with a customer�s management and IT team members to prioritize tasks and to put essential applications back on line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A customer contacted Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk goes after specific businesses with limited room for disruption and is one of the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with around 500 employees. The Ryuk penetration had shut down all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for good luck, but ultimately engaged Progent.


"I can�t say enough about the help Progent gave us during the most stressful period of (our) company�s survival. We most likely would have paid the cyber criminals except for the confidence the Progent team gave us. That you were able to get our messaging and important applications back online in less than five days was something I thought impossible. Each expert I talked with or texted at Progent was absolutely committed on getting us working again and was working at all hours to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the most important elements that needed to be recovered to make it possible to restart business functions:

  • Active Directory
  • Microsoft Exchange Server
  • MRP System
To begin, Progent adhered to AV/Malware Processes incident response industry best practices by stopping lateral movement and removing active viruses. Progent then began the work of bringing back online Windows Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange messaging will not function without Active Directory, and the client's MRP system utilized Microsoft SQL Server, which needs Active Directory services for access to the information.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then assisted with setup and storage recovery on essential applications. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find intact OST files (Outlook Email Offline Data Files) on staff desktop computers to recover mail information. A not too old offline backup of the client's accounting/ERP software made it possible to return these vital applications back available to users. Although significant work needed to be completed to recover totally from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer shipments."

Over the next few weeks important milestones in the recovery process were achieved through tight collaboration between Progent team members and the client:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Server with over four million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent functional.
  • A new Palo Alto 850 security appliance was installed.
  • Nearly all of the user workstations were operational.

"So much of what went on during the initial response is mostly a haze for me, but our team will not forget the commitment each of you put in to give us our company back. I�ve been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."

Conclusion
A probable business-ending catastrophe was evaded due to results-oriented experts, a wide range of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware incident detailed here could have been prevented with modern security solutions and recognized best practices, staff education, and properly executed security procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thanks very much for letting me get rested after we made it past the initial push. Everyone did an amazing effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Garland a range of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the complete threat progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you demonstrate compliance with government and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate attention. Progent's consultants can also help your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup software providers to produce ProSight Data Protection Services, a selection of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and allow non-disruptive backup and rapid recovery of vital files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, human error, ill-intentioned insiders, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to provide web-based management and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding devices that require important updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your IT system operating efficiently by tracking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT management personnel and your assigned Progent consultant so any potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can save as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based machine learning technology to defend endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching AV products. Progent ASM services safeguard on-premises and cloud-based resources and offers a single platform to automate the complete threat lifecycle including filtering, detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Call Desk services enable your IT staff to offload Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal network support staff and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent supplement to your internal support staff. End user access to the Help Desk, delivery of support, escalation, trouble ticket generation and tracking, performance metrics, and management of the service database are cohesive regardless of whether incidents are resolved by your core IT support group, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and cost-effective alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. In addition to optimizing the security and reliability of your IT network, Progent's patch management services allow your IT team to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation on iOS, Google Android, and other personal devices. With 2FA, when you sign into a secured application and give your password you are requested to confirm your identity via a unit that only you have and that uses a separate network channel. A wide range of out-of-band devices can be utilized as this added form of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate several verification devices. For details about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication services for access security.
For Garland 24-7 Crypto Repair Support Services, contact Progent at 800-462-8800 or go to Contact Progent.