Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that poses an existential threat for businesses poorly prepared for an assault. Multiple generations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause destruction. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with frequent as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate all available system backup. Data synched to off-site disaster recovery sites can also be corrupted. In a vulnerable system, this can make automated restoration impossible and effectively sets the network back to zero.

Retrieving programs and information after a ransomware outage becomes a race against time as the targeted business tries its best to stop the spread, cleanup the ransomware, and restore enterprise-critical activity. Because ransomware requires time to replicate, attacks are usually launched during weekends and nights, when successful attacks tend to take more time to detect. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable mitigation team.

Progent provides a variety of support services for securing enterprises from ransomware attacks. Among these are team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to identify and quarantine new cyber attacks intelligently. Progent also provides the services of expert crypto-ransomware recovery professionals with the talent and perseverance to re-deploy a breached system as urgently as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the keys to decrypt any or all of your data. Kaspersky ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The fallback is to setup from scratch the key components of your IT environment. Without access to complete data backups, this calls for a wide range of IT skills, well-coordinated project management, and the capability to work non-stop until the job is complete.

For decades, Progent has provided certified expert IT services for companies across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience gives Progent the skills to knowledgably determine necessary systems and integrate the remaining pieces of your IT system after a ransomware attack and assemble them into an operational network.

Progent's security group uses top notch project management tools to coordinate the complex restoration process. Progent knows the importance of acting quickly and in concert with a customer's management and IT resources to assign priority to tasks and to put critical systems back on-line as fast as possible.

Case Study: A Successful Ransomware Virus Restoration
A business contacted Progent after their company was crashed by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, possibly adopting strategies exposed from the U.S. National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is among the most profitable versions of ransomware viruses. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has around 500 workers. The Ryuk attack had frozen all business operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (more than $200K) and praying for the best, but in the end brought in Progent.


"I cannot thank you enough in regards to the expertise Progent provided us during the most fearful period of (our) company's existence. We most likely would have paid the cybercriminals if not for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and production servers back online in less than seven days was amazing. Every single expert I got help from or messaged at Progent was amazingly focused on getting our company operational and was working all day and night on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the most important services that needed to be addressed in order to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent followed ransomware incident response best practices by isolating and cleaning up infected systems. Progent then began the work of rebuilding Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businesses' accounting and MRP software leveraged Microsoft SQL, which depends on Windows AD for security authorization to the databases.

In less than two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then helped perform rebuilding and storage recovery on mission critical applications. All Microsoft Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on team workstations and laptops to recover mail data. A not too old off-line backup of the businesses financials/ERP software made it possible to recover these vital services back servicing users. Although major work remained to recover completely from the Ryuk event, essential systems were restored quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."

Over the following month critical milestones in the restoration process were achieved through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely restored.
  • A new Palo Alto 850 security appliance was brought on-line.
  • 90% of the desktop computers were back into operation.

"A huge amount of what was accomplished in the early hours is mostly a haze for me, but my management will not soon forget the urgency each of your team put in to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered. This time was a life saver."

Conclusion
A probable company-ending disaster was averted due to results-oriented experts, a wide range of knowledge, and close collaboration. Although in hindsight the ransomware attack described here would have been blocked with up-to-date cyber security technology and recognized best practices, user and IT administrator education, and properly executed security procedures for information backup and applying software patches, the reality is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), I'm grateful for allowing me to get rested after we got through the most critical parts. All of you did an amazing effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Chatsworth a portfolio of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate modern artificial intelligence technology to detect zero-day variants of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based AV tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the entire malware attack progression including blocking, identification, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also assist your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and monitor your backup operations and allow non-disruptive backup and fast restoration of vital files/folders, apps, images, plus virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural disasters, fire, malware such as ransomware, user mistakes, malicious employees, or application glitches. Managed services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide web-based management and world-class security for all your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, monitor, optimize and troubleshoot their networking hardware like routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and manages the configuration of almost all devices on your network, tracks performance, and sends notices when issues are discovered. By automating tedious management processes, WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that require critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT personnel and your assigned Progent consultant so that all potential issues can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can save up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to guard endpoints as well as servers and VMs against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a single platform to address the entire threat lifecycle including protection, identification, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Support Center services enable your information technology group to offload Support Desk services to Progent or split activity for Help Desk services seamlessly between your internal network support group and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent supplement to your core support team. User interaction with the Service Desk, provision of support services, problem escalation, trouble ticket generation and updates, efficiency metrics, and management of the service database are consistent regardless of whether issues are taken care of by your corporate network support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide businesses of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking updates to your dynamic IT system. Besides optimizing the protection and reliability of your computer network, Progent's software/firmware update management services permit your IT staff to focus on line-of-business initiatives and activities that derive maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected online account and enter your password you are asked to verify your identity via a device that only you have and that is accessed using a different network channel. A wide range of out-of-band devices can be utilized for this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate several verification devices. To learn more about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time management reporting utilities designed to work with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Chatsworth Crypto-Ransomware Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.