Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an existential threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily as yet unnamed newcomers, not only encrypt online critical data but also infect all available system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can make automated restore operations useless and basically sets the datacenter back to square one.

Getting back applications and information after a ransomware event becomes a race against the clock as the targeted business tries its best to contain and eradicate the ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware requires time to replicate, attacks are usually sprung on weekends and holidays, when successful attacks are likely to take more time to discover. This multiplies the difficulty of rapidly mobilizing and organizing a knowledgeable response team.

Progent has a range of solutions for protecting organizations from crypto-ransomware events. These include staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence capabilities from SentinelOne to detect and quarantine zero-day cyber attacks automatically. Progent also can provide the assistance of veteran ransomware recovery consultants with the talent and perseverance to rebuild a breached system as rapidly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will return the keys to decrypt any or all of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the mission-critical components of your IT environment. Without the availability of complete system backups, this calls for a wide range of skill sets, well-coordinated team management, and the capability to work non-stop until the task is over.

For twenty years, Progent has made available expert IT services for companies in Baton Rouge and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise provides Progent the capability to rapidly identify important systems and consolidate the surviving components of your computer network system following a crypto-ransomware penetration and assemble them into an operational network.

Progent's recovery team of experts has top notch project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and together with a client's management and Information Technology staff to assign priority to tasks and to get key services back online as fast as humanly possible.

Client Story: A Successful Ransomware Virus Restoration
A small business sought out Progent after their organization was brought down by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored hackers, possibly adopting technology leaked from the United States National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is among the most lucrative instances of ransomware viruses. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area with around 500 employees. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end brought in Progent.


"I can�t tell you enough about the expertise Progent gave us during the most fearful time of (our) company�s existence. We had little choice but to pay the criminal gangs if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and important applications back sooner than a week was earth shattering. Every single expert I talked with or e-mailed at Progent was absolutely committed on getting us working again and was working 24/7 on our behalf."

Progent worked together with the customer to quickly identify and prioritize the key areas that had to be restored to make it possible to restart company functions:

  • Windows Active Directory
  • Electronic Mail
  • MRP System
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the work of recovering Microsoft AD, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not work without AD, and the businesses� MRP software utilized Microsoft SQL Server, which requires Active Directory for security authorization to the databases.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then initiated setup and storage recovery on mission critical applications. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user desktop computers and laptops to recover mail data. A recent off-line backup of the businesses financials/MRP systems made it possible to recover these vital programs back online. Although a large amount of work was left to recover fully from the Ryuk event, critical systems were restored rapidly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer sales."

Throughout the next few weeks important milestones in the restoration project were made through tight collaboration between Progent consultants and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Exchange Server exceeding four million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were fully functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user desktops and notebooks were fully operational.

"A huge amount of what occurred in the early hours is nearly entirely a blur for me, but my management will not forget the care all of you put in to help get our business back. I�ve trusted Progent for the past ten years, maybe more, and each time Progent has shined and delivered. This situation was the most impressive ever."

Conclusion
A potential business-ending disaster was dodged through the efforts of hard-working experts, a broad spectrum of IT skills, and close collaboration. Although upon completion of forensics the ransomware virus attack described here could have been identified and prevented with advanced security technology solutions and recognized best practices, team training, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get some sleep after we got through the most critical parts. All of you did an amazing job, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Baton Rouge a portfolio of remote monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to detect zero-day variants of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to automate the entire threat lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also assist your company to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and enable transparent backup and fast restoration of vital files/folders, apps, system images, plus virtual machines. ProSight DPS lets your business protect against data loss caused by hardware failures, natural calamities, fire, malware such as ransomware, human error, malicious insiders, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to provide web-based control and comprehensive protection for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, reconfigure and debug their connectivity hardware such as switches, firewalls, and access points plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when issues are discovered. By automating complex management activities, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding devices that need important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates advanced remote monitoring and management technology to help keep your network running efficiently by tracking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent consultant so any looming problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can save as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior machine learning tools to guard endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-based AV products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Help Center managed services allow your IT group to offload Help Desk services to Progent or split activity for Help Desk services transparently between your in-house support staff and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a transparent extension of your internal IT support resources. Client interaction with the Help Desk, delivery of support services, problem escalation, trouble ticket generation and updates, performance measurement, and maintenance of the service database are consistent regardless of whether issues are taken care of by your in-house support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking updates to your dynamic information system. Besides optimizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business initiatives and activities that deliver the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and enter your password you are asked to verify who you are via a device that only you possess and that is accessed using a different network channel. A broad range of devices can be used for this second form of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple validation devices. To learn more about ProSight Duo identity authentication services, see Duo MFA two-factor authentication services for access security.
For 24-7 Baton Rouge Crypto-Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.