Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an extinction-level threat for businesses of all sizes vulnerable to an assault. Multiple generations of crypto-ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with daily as yet unnamed newcomers, not only do encryption of online files but also infect all available system backup. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, this can make automatic recovery useless and basically sets the network back to zero.

Recovering applications and data following a ransomware event becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement and remove the crypto-ransomware and to resume enterprise-critical operations. Since crypto-ransomware requires time to spread, penetrations are often launched on weekends, when attacks are likely to take more time to recognize. This compounds the difficulty of quickly mobilizing and organizing a capable response team.

Progent has a variety of solutions for protecting organizations from ransomware attacks. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with AI technology from SentinelOne to identify and suppress zero-day threats quickly. Progent in addition offers the services of experienced ransomware recovery engineers with the talent and perseverance to re-deploy a breached environment as soon as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the needed keys to unencrypt any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the essential elements of your IT environment. Without the availability of essential data backups, this requires a broad range of skills, professional team management, and the ability to work 24x7 until the job is over.

For two decades, Progent has provided certified expert Information Technology services for businesses in Chatsworth and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly understand important systems and consolidate the remaining components of your computer network environment after a crypto-ransomware event and assemble them into an operational network.

Progent's recovery group utilizes state-of-the-art project management systems to orchestrate the complex recovery process. Progent understands the importance of acting rapidly and in unison with a customer�s management and Information Technology staff to prioritize tasks and to put essential systems back online as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Virus Restoration
A business contacted Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of using approaches leaked from the U.S. National Security Agency. Ryuk goes after specific organizations with limited tolerance for disruption and is one of the most lucrative versions of ransomware viruses. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end utilized Progent.


"I can�t say enough about the help Progent gave us during the most fearful time of (our) businesses life. We would have paid the cybercriminals if it wasn�t for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and key servers back on-line quicker than one week was something I thought impossible. Every single expert I interacted with or e-mailed at Progent was totally committed on getting us working again and was working 24 by 7 on our behalf."

Progent worked together with the customer to quickly understand and assign priority to the key applications that had to be addressed in order to continue business functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus penetration response industry best practices by halting the spread and removing active viruses. Progent then started the steps of recovering Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the customer�s MRP software leveraged SQL Server, which needs Active Directory services for access to the information.

In less than two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then charged ahead with rebuilding and hard drive recovery of the most important systems. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Email Offline Data Files) on team workstations in order to recover email data. A recent offline backup of the businesses accounting/MRP systems made it possible to restore these required programs back available to users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core services were recovered quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we made all customer shipments."

Throughout the following few weeks critical milestones in the recovery project were made through tight collaboration between Progent consultants and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Exchange Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control capabilities were completely recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Ninety percent of the desktops and laptops were operational.

"A huge amount of what transpired that first week is mostly a fog for me, but our team will not soon forget the commitment each of your team accomplished to help get our business back. I�ve utilized Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A probable business extinction disaster was dodged due to dedicated experts, a broad range of knowledge, and close collaboration. Although upon completion of forensics the ransomware attack detailed here would have been prevented with up-to-date cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for data backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thanks very much for allowing me to get rested after we got through the initial push. All of you did an impressive job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Chatsworth a portfolio of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services include next-generation AI capability to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the entire malware attack progression including protection, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that meets your organization's unique needs and that allows you demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup processes and enable transparent backup and fast restoration of vital files, apps, images, plus VMs. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application bugs. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to deliver web-based management and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a further level of inspection for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, reconfigure and debug their connectivity appliances like switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are discovered. By automating complex management processes, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding appliances that need critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT staff and your Progent engineering consultant so any potential issues can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time spent looking for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis technology to defend endpoints as well as physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud resources and provides a unified platform to automate the entire threat progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Help Desk managed services enable your IT staff to outsource Call Center services to Progent or divide responsibilities for Help Desk services transparently between your internal network support staff and Progent's extensive roster of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless supplement to your core network support staff. End user interaction with the Help Desk, delivery of technical assistance, problem escalation, ticket creation and updates, efficiency metrics, and maintenance of the support database are consistent regardless of whether issues are resolved by your corporate support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of all sizes a versatile and affordable solution for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving IT system. In addition to optimizing the security and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT team to concentrate on more strategic projects and tasks that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a secured application and enter your password you are asked to verify who you are via a device that only you have and that uses a separate network channel. A wide range of out-of-band devices can be used as this second form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate several validation devices. For more information about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Chatsworth 24x7x365 CryptoLocker Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.