Ransomware : Your Feared IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses vulnerable to an assault. Versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as frequent unnamed malware, not only do encryption of online data but also infect any accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, this can make any restore operations impossible and basically knocks the entire system back to zero.

Restoring programs and data after a ransomware intrusion becomes a race against time as the targeted business fights to contain and clear the ransomware and to resume enterprise-critical operations. Since crypto-ransomware requires time to replicate, penetrations are frequently launched at night, when penetrations are likely to take longer to uncover. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent offers a variety of solutions for protecting businesses from crypto-ransomware attacks. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence technology from SentinelOne to discover and suppress new cyber attacks automatically. Progent in addition offers the assistance of experienced ransomware recovery consultants with the track record and commitment to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the codes to decipher any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Absent access to full data backups, this calls for a broad range of IT skills, professional project management, and the willingness to work 24x7 until the task is completed.

For decades, Progent has provided professional Information Technology services for businesses in Riverside and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently understand important systems and re-organize the surviving pieces of your IT system following a crypto-ransomware penetration and assemble them into an operational system.

Progent's ransomware team deploys state-of-the-art project management systems to coordinate the complex recovery process. Progent understands the urgency of working swiftly and in concert with a client's management and Information Technology resources to prioritize tasks and to put key services back on-line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Intrusion Response
A small business escalated to Progent after their network was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored cybercriminals, suspected of adopting algorithms exposed from America's NSA organization. Ryuk goes after specific businesses with little room for disruption and is one of the most profitable instances of ransomware viruses. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area with about 500 workers. The Ryuk attack had paralyzed all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the intrusion and were encrypted. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but ultimately engaged Progent.


"I cannot speak enough in regards to the care Progent gave us throughout the most critical time of (our) company's life. We would have paid the criminal gangs if it wasn't for the confidence the Progent experts gave us. The fact that you could get our e-mail and essential applications back online sooner than one week was beyond my wildest dreams. Each expert I worked with or messaged at Progent was absolutely committed on getting our system up and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly understand and assign priority to the essential elements that needed to be addressed in order to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • MRP System
To get going, Progent followed Anti-virus incident mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the work of recovering Microsoft AD, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customer's MRP applications leveraged SQL Server, which needs Windows AD for authentication to the data.

Within 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated rebuilding and storage recovery of needed servers. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect local OST files (Outlook Email Off-Line Folder Files) on team workstations and laptops to recover email data. A not too old offline backup of the businesses financials/MRP systems made them able to return these required programs back online for users. Although significant work remained to recover fully from the Ryuk event, essential systems were restored quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer shipments."

During the following few weeks important milestones in the restoration process were accomplished in tight collaboration between Progent team members and the client:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were fully restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • 90% of the user desktops and notebooks were operational.

"A lot of what transpired in the early hours is mostly a haze for me, but my management will not forget the commitment each and every one of your team put in to give us our business back. I've utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This event was a testament to your capabilities."

Conclusion
A possible business extinction disaster was averted by top-tier experts, a broad range of subject matter expertise, and close teamwork. Although in retrospect the ransomware virus penetration described here should have been identified and stopped with advanced security technology and best practices, user and IT administrator training, and appropriate security procedures for information protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we made it through the first week. All of you did an amazing effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Riverside a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services include modern machine learning technology to detect new strains of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including protection, detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools packaged within one agent managed from a single console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also help you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup software providers to produce ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and allow non-disruptive backup and rapid restoration of critical files, apps, images, and VMs. ProSight DPS helps you avoid data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to deliver centralized control and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of analysis for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that require important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your network running efficiently by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that all looming issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect data related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to guard endpoint devices and servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to manage the entire malware attack progression including blocking, detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Desk services enable your information technology staff to offload Call Center services to Progent or split activity for Help Desk services seamlessly between your in-house network support staff and Progent's nationwide pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a smooth extension of your core support staff. User interaction with the Help Desk, delivery of technical assistance, issue escalation, ticket generation and tracking, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are taken care of by your in-house IT support staff, by Progent, or both. Find out more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a flexible and affordable solution for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your IT network, Progent's software/firmware update management services allow your IT staff to concentrate on more strategic projects and activities that deliver maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, when you log into a secured application and enter your password you are requested to verify your identity via a device that only you possess and that is accessed using a separate network channel. A wide range of out-of-band devices can be utilized as this second means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate several validation devices. To find out more about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of in-depth management reporting tools designed to work with the industry's top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Riverside 24/7 Crypto-Ransomware Recovery Experts, contact Progent at 800-462-8800 or go to Contact Progent.