Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that represents an extinction-level threat for organizations vulnerable to an attack. Multiple generations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus daily unnamed newcomers, not only do encryption of online information but also infiltrate many available system protection. Information synched to the cloud can also be ransomed. In a poorly designed data protection solution, this can render automatic restore operations impossible and basically knocks the datacenter back to zero.

Getting back online programs and information after a ransomware intrusion becomes a sprint against time as the targeted business tries its best to stop the spread and clear the ransomware and to restore business-critical activity. Because crypto-ransomware requires time to spread, penetrations are usually launched on weekends, when attacks in many cases take longer to identify. This multiplies the difficulty of rapidly marshalling and coordinating a qualified mitigation team.

Progent offers a range of help services for securing enterprises from ransomware penetrations. Among these are team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with AI technology from SentinelOne to detect and quarantine zero-day cyber attacks rapidly. Progent also offers the services of seasoned ransomware recovery professionals with the skills and perseverance to re-deploy a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to decipher any or all of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Without access to complete data backups, this calls for a wide complement of skill sets, professional project management, and the willingness to work non-stop until the job is done.

For decades, Progent has offered professional Information Technology services for companies in Waltham and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise gives Progent the ability to efficiently identify necessary systems and re-organize the remaining components of your computer network system after a crypto-ransomware penetration and rebuild them into an operational network.

Progent's security team deploys best of breed project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of acting swiftly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to put key services back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Virus Response
A customer escalated to Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean state sponsored criminal gangs, possibly adopting algorithms leaked from America's NSA organization. Ryuk targets specific companies with little room for disruption and is one of the most profitable instances of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with around 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing capabilities. Most of the client's system backups had been online at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (in excess of $200K) and praying for the best, but in the end utilized Progent.


"I can't thank you enough about the expertise Progent provided us during the most fearful period of (our) businesses life. We may have had to pay the cybercriminals if not for the confidence the Progent team gave us. That you were able to get our e-mail system and critical servers back on-line quicker than one week was beyond my wildest dreams. Every single person I talked with or e-mailed at Progent was absolutely committed on getting us back online and was working non-stop to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the key areas that needed to be restored in order to resume departmental operations:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To start, Progent adhered to ransomware event response best practices by isolating and cleaning systems of viruses. Progent then started the steps of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Windows AD, and the customer's financials and MRP software utilized SQL Server, which needs Active Directory services for security authorization to the data.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then helped perform setup and hard drive recovery of the most important applications. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Folder Files) on various workstations in order to recover mail messages. A recent offline backup of the client's accounting/MRP software made it possible to return these vital applications back online. Although significant work still had to be done to recover completely from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the production manufacturing operation was never shut down and we delivered all customer sales."

During the following month key milestones in the recovery project were completed through close cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the user desktops were fully operational.

"A huge amount of what happened in the initial days is nearly entirely a haze for me, but our team will not forget the dedication each and every one of you put in to give us our business back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A likely company-ending disaster was dodged with results-oriented professionals, a wide spectrum of technical expertise, and close teamwork. Although in retrospect the crypto-ransomware penetration detailed here could have been prevented with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for data backup and proper patching controls, the reality is that government-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for making it so I could get rested after we made it over the initial push. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Waltham a variety of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services utilize modern artificial intelligence capability to detect new variants of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the complete threat progression including blocking, detection, containment, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable non-disruptive backup and rapid recovery of important files, applications, system images, and VMs. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, malicious insiders, or application bugs. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security vendors to deliver centralized control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a deeper level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, track, reconfigure and debug their networking hardware like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, finding devices that need important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management staff and your Progent engineering consultant so all potential issues can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to guard endpoints as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely evade traditional signature-matching AV tools. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to automate the entire malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Desk: Support Desk Managed Services
    Progent's Call Desk managed services enable your IT team to outsource Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal support staff and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a smooth extension of your internal IT support organization. User access to the Service Desk, provision of support, issue escalation, trouble ticket generation and updates, performance measurement, and management of the support database are consistent regardless of whether incidents are taken care of by your core network support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. Besides optimizing the protection and functionality of your IT network, Progent's software/firmware update management services permit your IT team to concentrate on line-of-business initiatives and activities that derive maximum business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other out-of-band devices. Using 2FA, when you log into a secured application and enter your password you are requested to verify your identity via a unit that only you possess and that is accessed using a different network channel. A wide range of out-of-band devices can be used as this added form of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate multiple validation devices. To find out more about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth management reporting tools designed to integrate with the industry's leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7 Waltham Crypto Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.