Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Versions of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause destruction. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as daily as yet unnamed malware, not only encrypt online information but also infect all configured system backup. Files synched to cloud environments can also be ransomed. In a vulnerable system, this can make automated restore operations impossible and effectively sets the entire system back to zero.

Getting back on-line applications and information after a crypto-ransomware event becomes a race against time as the victim struggles to contain the damage and clear the virus and to resume enterprise-critical activity. Since ransomware takes time to replicate, penetrations are usually launched during nights and weekends, when successful penetrations tend to take more time to recognize. This compounds the difficulty of promptly marshalling and organizing a knowledgeable response team.

Progent provides a variety of support services for protecting organizations from crypto-ransomware penetrations. Among these are staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with AI technology from SentinelOne to discover and extinguish new cyber threats automatically. Progent also provides the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to rebuild a compromised system as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the keys to unencrypt any of your files. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the key components of your IT environment. Absent access to complete information backups, this requires a wide range of skill sets, well-coordinated project management, and the ability to work non-stop until the job is completed.

For twenty years, Progent has provided expert Information Technology services for companies in Stamford and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the capability to quickly determine necessary systems and integrate the surviving pieces of your computer network environment following a ransomware penetration and assemble them into a functioning system.

Progent's ransomware team uses top notch project management systems to coordinate the complicated recovery process. Progent knows the importance of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to get critical applications back on-line as soon as possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A client contacted Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been created by North Korean state hackers, suspected of using techniques leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no ability to sustain disruption and is one of the most lucrative incarnations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has about 500 workers. The Ryuk penetration had disabled all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and hoping for good luck, but ultimately utilized Progent.


"I cannot thank you enough about the care Progent provided us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent team afforded us. That you could get our messaging and important applications back online faster than five days was earth shattering. Each expert I got help from or e-mailed at Progent was urgently focused on getting us back on-line and was working at all hours to bail us out."

Progent worked with the customer to quickly understand and prioritize the essential elements that had to be restored to make it possible to resume business operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting/MRP
To begin, Progent followed ransomware incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then began the steps of recovering Microsoft AD, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the customer's accounting and MRP system leveraged Microsoft SQL Server, which requires Windows AD for authentication to the database.

Within two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then helped perform reinstallations and storage recovery on the most important servers. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Off-Line Folder Files) on various desktop computers and laptops to recover mail data. A not too old off-line backup of the client's accounting/MRP software made it possible to recover these vital programs back online for users. Although significant work remained to recover totally from the Ryuk damage, core services were recovered quickly:


"For the most part, the production line operation was never shut down and we delivered all customer deliverables."

During the following month important milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory capabilities were completely recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user desktops were operational.

"Much of what was accomplished those first few days is nearly entirely a haze for me, but my team will not soon forget the commitment all of the team put in to help get our company back. I've trusted Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely company-ending disaster was evaded through the efforts of top-tier experts, a broad spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware attack detailed here could have been identified and blocked with modern cyber security systems and ISO/IEC 27001 best practices, staff education, and well thought out security procedures for data backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for allowing me to get some sleep after we made it over the first week. All of you did an fabulous effort, and if anyone that helped is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Stamford a range of online monitoring and security evaluation services to help you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence technology to uncover new variants of crypto-ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to manage the entire malware attack progression including blocking, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services, a portfolio of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and enable non-disruptive backup and fast restoration of vital files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious employees, or application bugs. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to provide centralized control and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, enhance and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating devices that need important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT personnel and your assigned Progent consultant so any potential problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to a different hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can save as much as half of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior machine learning tools to defend endpoints as well as physical and virtual servers against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-based AV products. Progent ASM services protect local and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including protection, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Call Center Managed Services
    Progent's Help Desk services permit your information technology staff to offload Help Desk services to Progent or split activity for Help Desk services seamlessly between your in-house support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent supplement to your corporate support resources. Client interaction with the Help Desk, provision of support services, problem escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are consistent regardless of whether incidents are taken care of by your corporate support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving information system. Besides optimizing the protection and functionality of your computer network, Progent's patch management services permit your in-house IT staff to focus on more strategic projects and activities that deliver maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, when you sign into a secured application and give your password you are requested to confirm who you are on a device that only you have and that uses a separate network channel. A wide selection of devices can be utilized as this added means of authentication including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To find out more about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of in-depth reporting tools designed to integrate with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Stamford CryptoLocker Repair Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.