Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses vulnerable to an attack. Versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and still inflict destruction. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with more as yet unnamed newcomers, not only do encryption of online critical data but also infect most available system backup. Information synchronized to the cloud can also be encrypted. In a vulnerable environment, this can make automatic restoration impossible and basically sets the datacenter back to square one.

Getting back on-line services and data following a crypto-ransomware event becomes a sprint against the clock as the targeted organization tries its best to contain the damage, eradicate the virus, and restore mission-critical activity. Because ransomware takes time to move laterally, assaults are often launched during nights and weekends, when successful attacks may take longer to uncover. This multiplies the difficulty of quickly assembling and organizing a capable response team.

Progent makes available a range of support services for securing enterprises from ransomware attacks. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with machine learning technology from SentinelOne to identify and extinguish new threats quickly. Progent also offers the assistance of experienced crypto-ransomware recovery engineers with the track record and commitment to reconstruct a compromised system as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware invasion, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The other path is to setup from scratch the vital parts of your IT environment. Without access to essential data backups, this requires a wide range of skill sets, well-coordinated project management, and the ability to work continuously until the job is done.

For twenty years, Progent has made available professional Information Technology services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise affords Progent the ability to efficiently identify important systems and organize the remaining components of your Information Technology system following a crypto-ransomware penetration and configure them into an operational system.

Progent's ransomware group utilizes powerful project management tools to orchestrate the complicated restoration process. Progent understands the importance of working swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to get essential systems back on-line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Attack Recovery
A customer engaged Progent after their network was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state criminal gangs, possibly adopting techniques leaked from the United States National Security Agency. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most profitable examples of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has around 500 staff members. The Ryuk penetration had disabled all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot thank you enough about the support Progent provided us during the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent experts gave us. That you could get our e-mail and critical applications back into operation faster than 1 week was amazing. Every single person I talked with or communicated with at Progent was laser focused on getting us restored and was working day and night on our behalf."

Progent worked with the client to rapidly understand and prioritize the mission critical applications that had to be restored in order to continue departmental functions:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To begin, Progent followed AV/Malware Processes incident mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then began the task of rebuilding Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the customer's financials and MRP applications used SQL Server, which needs Active Directory services for access to the data.

Within 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery on critical systems. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on various desktop computers to recover email messages. A recent off-line backup of the customer's accounting/MRP software made it possible to restore these essential applications back online. Although a large amount of work remained to recover totally from the Ryuk event, the most important systems were recovered quickly:


"For the most part, the production line operation was never shut down and we made all customer sales."

During the next month critical milestones in the recovery project were accomplished in close collaboration between Progent consultants and the customer:

  • Internal web sites were restored with no loss of information.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were completely functional.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • 90% of the desktop computers were operational.

"A huge amount of what occurred that first week is mostly a haze for me, but my management will not soon forget the commitment each of you put in to help get our business back. I've trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This time was a life saver."

Conclusion
A possible company-ending catastrophe was evaded through the efforts of hard-working experts, a wide range of technical expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident detailed here would have been stopped with advanced cyber security solutions and ISO/IEC 27001 best practices, staff training, and well designed security procedures for information backup and proper patching controls, the reality is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for letting me get rested after we made it past the initial push. Everyone did an fabulous job, and if any of your team is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Greensboro a variety of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect new strains of crypto-ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to address the entire threat progression including filtering, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering via leading-edge tools packaged within one agent accessible from a unified console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you prove compliance with government and industry information security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also help you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with leading backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and enable transparent backup and fast restoration of vital files, applications, system images, and virtual machines. ProSight DPS helps you protect against data loss caused by equipment failures, natural calamities, fire, malware such as ransomware, human mistakes, malicious employees, or software glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security vendors to deliver centralized management and world-class security for your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a further layer of analysis for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, reconfigure and troubleshoot their networking appliances like routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming management activities, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating devices that need important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT personnel and your Progent consultant so all looming issues can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to defend endpoints as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to manage the entire malware attack lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Call Center managed services allow your IT staff to outsource Call Center services to Progent or split activity for Service Desk support transparently between your in-house support group and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a transparent supplement to your corporate IT support group. User access to the Help Desk, delivery of support services, escalation, ticket creation and tracking, efficiency metrics, and management of the support database are consistent whether incidents are taken care of by your internal network support staff, by Progent's team, or both. Read more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable alternative for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. Besides maximizing the protection and reliability of your computer network, Progent's software/firmware update management services permit your in-house IT staff to concentrate on more strategic projects and activities that deliver maximum business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected online account and give your password you are asked to confirm your identity on a device that only you have and that is accessed using a separate network channel. A wide selection of out-of-band devices can be utilized for this second means of ID validation including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate multiple verification devices. To find out more about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time and in-depth management reporting plug-ins created to work with the industry's top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Greensboro 24/7/365 Ransomware Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.