Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level danger for organizations poorly prepared for an attack. Versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict harm. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as additional unnamed newcomers, not only do encryption of online data files but also infect any configured system protection. Information synched to cloud environments can also be ransomed. In a poorly architected environment, this can make any recovery hopeless and effectively knocks the datacenter back to square one.

Getting back online applications and information after a ransomware event becomes a sprint against time as the victim struggles to contain the damage and remove the ransomware and to resume business-critical operations. Since ransomware needs time to move laterally, attacks are often sprung on weekends, when successful attacks may take more time to notice. This compounds the difficulty of promptly assembling and coordinating an experienced response team.

Progent has a variety of help services for securing enterprises from ransomware attacks. Among these are team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security solutions with artificial intelligence technology from SentinelOne to identify and disable new threats quickly. Progent also offers the assistance of experienced ransomware recovery consultants with the skills and perseverance to restore a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the codes to decipher any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the mission-critical parts of your Information Technology environment. Without access to full system backups, this calls for a broad complement of IT skills, well-coordinated team management, and the ability to work non-stop until the task is completed.

For decades, Progent has provided certified expert IT services for companies in Chatsworth and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience gives Progent the capability to rapidly understand necessary systems and re-organize the surviving components of your network system following a ransomware penetration and configure them into a functioning system.

Progent's recovery group deploys state-of-the-art project management tools to orchestrate the complicated restoration process. Progent knows the importance of working swiftly and together with a client's management and IT resources to prioritize tasks and to get critical services back on-line as soon as possible.

Client Case Study: A Successful Ransomware Penetration Restoration
A small business escalated to Progent after their network was penetrated by Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored hackers, possibly adopting approaches leaked from America's NSA organization. Ryuk goes after specific businesses with little or no ability to sustain disruption and is among the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with around 500 employees. The Ryuk penetration had shut down all company operations and manufacturing processes. The majority of the client's system backups had been on-line at the time of the attack and were damaged. The client was evaluating paying the ransom (more than $200K) and hoping for the best, but in the end reached out to Progent.


"I cannot thank you enough about the help Progent provided us during the most stressful period of (our) businesses survival. We may have had to pay the criminal gangs except for the confidence the Progent group gave us. The fact that you could get our messaging and critical applications back quicker than a week was amazing. Each person I spoke to or texted at Progent was amazingly focused on getting our system up and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly understand and prioritize the mission critical systems that had to be addressed to make it possible to resume business operations:

  • Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent adhered to Anti-virus penetration response industry best practices by stopping the spread and clearing infected systems. Progent then started the task of bringing back online Microsoft AD, the key technology of enterprise systems built on Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the businesses' MRP system utilized Microsoft SQL Server, which requires Active Directory for security authorization to the database.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery of the most important systems. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Offline Data Files) on user workstations and laptops to recover email data. A recent offline backup of the customer's accounting/ERP software made it possible to restore these vital applications back available to users. Although significant work remained to recover fully from the Ryuk damage, the most important systems were recovered quickly:


"For the most part, the manufacturing operation never missed a beat and we delivered all customer shipments."

During the next few weeks critical milestones in the restoration process were accomplished in tight cooperation between Progent consultants and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% functional.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user workstations were being used by staff.

"A huge amount of what happened during the initial response is nearly entirely a haze for me, but we will not forget the urgency all of you put in to give us our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This time was a stunning achievement."

Conclusion
A likely business disaster was evaded due to hard-working professionals, a wide array of knowledge, and close teamwork. Although in retrospect the crypto-ransomware penetration described here would have been disabled with current security solutions and NIST Cybersecurity Framework best practices, team education, and well designed incident response procedures for backup and applying software patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for allowing me to get some sleep after we got through the first week. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Chatsworth a range of online monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation AI capability to detect zero-day strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the entire threat progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your company's unique requirements and that allows you prove compliance with government and industry information security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also help you to set up and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your backup operations and enable transparent backup and fast recovery of critical files, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss caused by equipment failures, natural calamities, fire, malware like ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide centralized control and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, track, reconfigure and debug their networking hardware such as routers, firewalls, and access points plus servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating complex management activities, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, finding devices that require critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network running efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your assigned Progent consultant so that any potential problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based analysis technology to defend endpoints as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a unified platform to address the complete threat lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Desk: Call Center Managed Services
    Progent's Help Center managed services permit your information technology group to offload Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support resources and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless extension of your in-house support organization. End user access to the Service Desk, provision of support services, escalation, ticket generation and tracking, efficiency metrics, and maintenance of the service database are cohesive whether issues are taken care of by your corporate support staff, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the protection and reliability of your IT network, Progent's software/firmware update management services allow your IT staff to focus on more strategic projects and activities that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Google Android, and other personal devices. With 2FA, whenever you log into a protected application and enter your password you are asked to confirm your identity via a device that only you possess and that uses a different ("out-of-band") network channel. A wide range of devices can be utilized as this second means of authentication including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register several validation devices. For more information about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time reporting plug-ins designed to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Chatsworth 24/7/365 Crypto Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.