Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses poorly prepared for an assault. Multiple generations of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional as yet unnamed newcomers, not only encrypt online information but also infiltrate many available system backups. Data synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, this can make automated restore operations impossible and effectively knocks the network back to zero.

Getting back online services and information following a crypto-ransomware outage becomes a sprint against time as the targeted organization struggles to contain and cleanup the ransomware and to resume enterprise-critical operations. Because crypto-ransomware needs time to move laterally, penetrations are often sprung at night, when attacks tend to take more time to uncover. This compounds the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent provides an assortment of support services for securing organizations from crypto-ransomware events. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence capabilities from SentinelOne to identify and disable day-zero cyber threats quickly. Progent also offers the services of expert ransomware recovery consultants with the talent and perseverance to rebuild a breached environment as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the vital parts of your Information Technology environment. Absent the availability of full system backups, this requires a broad complement of IT skills, top notch team management, and the capability to work non-stop until the task is complete.

For two decades, Progent has provided expert Information Technology services for businesses in Riverside and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise gives Progent the capability to efficiently understand critical systems and consolidate the remaining components of your Information Technology system following a ransomware event and configure them into a functioning system.

Progent's security group utilizes best of breed project management applications to coordinate the complex recovery process. Progent knows the importance of working quickly and in unison with a client's management and IT resources to prioritize tasks and to put critical systems back on line as fast as possible.

Business Case Study: A Successful Ransomware Intrusion Response
A client engaged Progent after their network was brought down by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state cybercriminals, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk attacks specific businesses with limited room for operational disruption and is one of the most lucrative iterations of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago with around 500 employees. The Ryuk attack had brought down all business operations and manufacturing processes. Most of the client's data protection had been online at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and hoping for good luck, but ultimately reached out to Progent.


"I can't thank you enough in regards to the expertise Progent gave us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent team gave us. The fact that you were able to get our messaging and critical applications back into operation quicker than seven days was something I thought impossible. Each expert I spoke to or e-mailed at Progent was urgently focused on getting my company operational and was working 24 by 7 on our behalf."

Progent worked with the client to quickly identify and prioritize the most important applications that needed to be restored to make it possible to continue company operations:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then started the steps of restoring Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's MRP system leveraged SQL Server, which depends on Active Directory for security authorization to the information.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery on the most important applications. All Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Offline Data Files) on staff PCs and laptops to recover email messages. A recent off-line backup of the businesses financials/ERP software made them able to return these essential programs back on-line. Although a lot of work remained to recover totally from the Ryuk attack, core services were restored quickly:


"For the most part, the production line operation never missed a beat and we made all customer shipments."

Throughout the next couple of weeks key milestones in the restoration project were achieved through close collaboration between Progent consultants and the client:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were completely operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the user desktops were functioning as before the incident.

"A lot of what went on in the initial days is nearly entirely a haze for me, but we will not soon forget the care each of your team accomplished to help get our business back. I have trusted Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A probable business disaster was dodged due to hard-working professionals, a broad spectrum of technical expertise, and close teamwork. Although upon completion of forensics the crypto-ransomware virus incident detailed here could have been identified and disabled with up-to-date cyber security technology solutions and best practices, staff education, and well thought out security procedures for data protection and applying software patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), I'm grateful for making it so I could get some sleep after we made it over the initial fire. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Riverside a range of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern AI capability to detect zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the complete malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools incorporated within one agent managed from a unified control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and fast restoration of vital files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious employees, or application glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver centralized management and comprehensive security for your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway device adds a further layer of analysis for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, monitor, reconfigure and debug their networking hardware like routers, firewalls, and access points as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept updated, copies and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management personnel and your Progent engineering consultant so that any potential problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can save up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-based AV products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to address the entire malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Help Desk managed services enable your information technology group to outsource Call Center services to Progent or split responsibilities for support services seamlessly between your internal support staff and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a transparent supplement to your in-house support team. User access to the Service Desk, provision of support services, issue escalation, ticket creation and tracking, efficiency metrics, and management of the support database are cohesive whether issues are taken care of by your corporate IT support resources, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. Besides optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to focus on more strategic projects and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo technology to defend against password theft by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a secured online account and enter your password you are asked to verify your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used for this second means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate multiple verification devices. To learn more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time and in-depth reporting plug-ins created to work with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Riverside 24/7/365 CryptoLocker Cleanup Consulting, contact Progent at 800-462-8800 or go to Contact Progent.