Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an extinction-level threat for organizations unprepared for an assault. Versions of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as daily unnamed viruses, not only do encryption of on-line critical data but also infiltrate all available system protection. Files synchronized to cloud environments can also be corrupted. In a poorly designed system, it can make any recovery hopeless and basically sets the network back to zero.

Getting back online programs and data after a ransomware event becomes a race against time as the targeted business fights to stop lateral movement and remove the virus and to restore business-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, assaults are usually sprung at night, when successful attacks in many cases take longer to discover. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified response team.

Progent provides an assortment of services for protecting businesses from crypto-ransomware events. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security appliances with machine learning capabilities from SentinelOne to discover and extinguish new cyber attacks automatically. Progent also provides the services of experienced ransomware recovery professionals with the skills and perseverance to rebuild a breached system as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the codes to decrypt any or all of your information. Kaspersky estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the vital elements of your Information Technology environment. Absent the availability of essential information backups, this calls for a wide complement of IT skills, professional team management, and the capability to work non-stop until the job is done.

For decades, Progent has provided professional Information Technology services for companies in Pasadena and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience affords Progent the skills to efficiently understand important systems and organize the surviving pieces of your computer network system following a crypto-ransomware attack and assemble them into a functioning system.

Progent's ransomware team uses state-of-the-art project management applications to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and Information Technology resources to prioritize tasks and to put the most important applications back on line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Response
A small business sought out Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state hackers, possibly adopting approaches exposed from America's National Security Agency. Ryuk targets specific organizations with little or no tolerance for disruption and is among the most profitable incarnations of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom (more than $200,000) and praying for the best, but in the end called Progent.


"I cannot speak enough about the support Progent gave us during the most critical period of (our) businesses survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and key servers back into operation quicker than seven days was beyond my wildest dreams. Every single expert I spoke to or communicated with at Progent was laser focused on getting us operational and was working 24/7 on our behalf."

Progent worked together with the customer to rapidly get our arms around and assign priority to the critical services that had to be addressed in order to restart business functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • MRP System
To start, Progent followed ransomware penetration response best practices by stopping the spread and clearing infected systems. Progent then began the process of rebuilding Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not function without AD, and the customer's MRP software used Microsoft SQL Server, which depends on Active Directory services for security authorization to the information.

Within two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then assisted with rebuilding and storage recovery on mission critical systems. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble intact OST data files (Microsoft Outlook Offline Folder Files) on staff PCs in order to recover email data. A not too old offline backup of the businesses manufacturing systems made it possible to restore these essential services back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, critical services were recovered quickly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer shipments."

During the following month key milestones in the restoration project were made through tight collaboration between Progent consultants and the client:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the desktop computers were back into operation.

"A lot of what went on during the initial response is nearly entirely a blur for me, but my team will not forget the dedication all of you put in to give us our business back. I've utilized Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A probable business disaster was dodged by hard-working professionals, a wide spectrum of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware attack described here would have been identified and disabled with current cyber security technology solutions and recognized best practices, team training, and properly executed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get rested after we got past the initial push. Everyone did an incredible effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Pasadena a range of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the complete threat lifecycle including blocking, identification, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you demonstrate compliance with government and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup software providers to produce ProSight Data Protection Services, a family of offerings that provide backup-as-a-service. ProSight DPS products automate and track your data backup operations and allow non-disruptive backup and fast restoration of important files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, malicious insiders, or software glitches. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized control and comprehensive security for all your email traffic. The powerful structure of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, enhance and debug their connectivity appliances like routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating tedious management processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating appliances that require important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network running at peak levels by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management staff and your Progent consultant so that all potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based machine learning technology to guard endpoint devices and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus tools. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to automate the complete malware attack progression including filtering, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Center: Support Desk Managed Services
    Progent's Call Center services allow your information technology staff to offload Support Desk services to Progent or split activity for Help Desk services seamlessly between your internal network support staff and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a smooth supplement to your core support staff. User interaction with the Service Desk, provision of technical assistance, problem escalation, trouble ticket creation and updates, efficiency measurement, and maintenance of the service database are cohesive regardless of whether issues are taken care of by your core IT support organization, by Progent's team, or both. Read more about Progent's outsourced/shared Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a versatile and affordable alternative for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to optimizing the security and functionality of your IT environment, Progent's patch management services permit your IT team to focus on more strategic projects and activities that deliver the highest business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a protected application and enter your password you are requested to verify your identity on a unit that only you have and that uses a different network channel. A wide selection of out-of-band devices can be utilized for this second means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate several validation devices. For details about ProSight Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Pasadena 24/7/365 Crypto Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.