Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that presents an existential threat for organizations unprepared for an assault. Different versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict destruction. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus frequent unnamed viruses, not only do encryption of on-line data files but also infect all available system restores and backups. Information synched to the cloud can also be rendered useless. In a vulnerable system, it can make automatic restore operations useless and basically knocks the datacenter back to square one.

Getting back programs and data following a ransomware event becomes a race against the clock as the targeted organization struggles to contain and eradicate the ransomware and to resume business-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are usually launched on weekends and holidays, when attacks are likely to take more time to discover. This compounds the difficulty of quickly assembling and orchestrating a capable response team.

Progent offers an assortment of services for securing enterprises from ransomware events. Among these are user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with machine learning capabilities from SentinelOne to discover and quarantine new threats automatically. Progent in addition offers the services of expert crypto-ransomware recovery professionals with the skills and perseverance to reconstruct a compromised network as soon as possible.

Progent's Ransomware Restoration Help
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the keys to decrypt all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the essential elements of your IT environment. Without the availability of full data backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work non-stop until the recovery project is finished.

For twenty years, Progent has made available certified expert IT services for companies in Uniondale and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise provides Progent the capability to knowledgably determine necessary systems and consolidate the surviving pieces of your IT environment following a ransomware event and rebuild them into an operational system.

Progent's security team deploys powerful project management tools to coordinate the complex recovery process. Progent knows the importance of acting rapidly and in concert with a customer's management and Information Technology team members to assign priority to tasks and to put critical services back online as fast as humanly possible.

Case Study: A Successful Ransomware Incident Recovery
A customer hired Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, suspected of using techniques exposed from America's National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is one of the most profitable instances of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with around 500 staff members. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the intrusion and were encrypted. The client considered paying the ransom (exceeding $200K) and praying for the best, but ultimately called Progent.


"I can't speak enough in regards to the support Progent provided us during the most stressful time of (our) company's existence. We may have had to pay the cybercriminals except for the confidence the Progent team gave us. That you were able to get our e-mail system and production servers back online faster than five days was beyond my wildest dreams. Every single staff member I spoke to or e-mailed at Progent was laser focused on getting us restored and was working all day and night to bail us out."

Progent worked hand in hand the customer to quickly identify and prioritize the essential services that needed to be addressed to make it possible to continue business functions:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus penetration response best practices by stopping the spread and clearing up compromised systems. Progent then initiated the steps of bringing back online Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the client's financials and MRP software utilized Microsoft SQL Server, which depends on Active Directory for authentication to the information.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery of the most important systems. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Email Offline Data Files) on various workstations in order to recover email data. A not too old offline backup of the client's accounting/MRP systems made it possible to return these vital programs back online for users. Although significant work still had to be done to recover completely from the Ryuk event, the most important systems were restored rapidly:


"For the most part, the assembly line operation did not miss a beat and we delivered all customer orders."

Throughout the next few weeks key milestones in the recovery process were made in tight collaboration between Progent consultants and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Server with over four million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control functions were fully recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Most of the user desktops and notebooks were back into operation.

"So much of what was accomplished in the initial days is mostly a fog for me, but our team will not forget the urgency each and every one of the team accomplished to give us our company back. I've trusted Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A probable business extinction catastrophe was dodged with results-oriented experts, a broad array of subject matter expertise, and tight teamwork. Although in hindsight the ransomware incident detailed here would have been identified and blocked with current cyber security solutions and recognized best practices, team training, and properly executed security procedures for data backup and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thank you for allowing me to get some sleep after we got through the initial fire. All of you did an incredible job, and if anyone is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Uniondale a range of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence technology to detect new variants of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to manage the complete malware attack lifecycle including protection, detection, containment, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore technology providers to produce ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and enable transparent backup and fast restoration of important files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss caused by hardware failures, natural disasters, fire, malware like ransomware, user mistakes, malicious insiders, or software bugs. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to deliver web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of analysis for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and debug their networking appliances such as switches, firewalls, and access points as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are detected. By automating tedious network management processes, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding appliances that require important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT personnel and your assigned Progent engineering consultant so that any potential problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save as much as 50% of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis tools to defend endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. Progent ASM services safeguard local and cloud resources and provides a unified platform to automate the entire threat lifecycle including blocking, infiltration detection, containment, remediation, and forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Help Center managed services permit your information technology team to offload Help Desk services to Progent or divide activity for support services transparently between your internal support group and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a seamless extension of your in-house IT support team. User interaction with the Service Desk, provision of support, escalation, ticket generation and updates, efficiency metrics, and management of the service database are consistent whether issues are taken care of by your corporate support resources, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving information network. Besides maximizing the security and functionality of your computer environment, Progent's patch management services allow your IT team to focus on more strategic projects and activities that deliver the highest business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a secured online account and give your password you are asked to confirm who you are on a unit that only you possess and that uses a different network channel. A wide selection of devices can be utilized as this second form of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You may designate several verification devices. For details about Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time reporting tools created to work with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Uniondale Crypto Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.