Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that poses an extinction-level threat for businesses vulnerable to an attack. Multiple generations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with additional unnamed viruses, not only do encryption of online data files but also infect all accessible system protection mechanisms. Files synchronized to cloud environments can also be encrypted. In a poorly architected environment, this can render automatic recovery useless and effectively sets the network back to square one.

Getting back online services and information after a ransomware outage becomes a race against the clock as the targeted organization tries its best to stop lateral movement and cleanup the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware takes time to spread, penetrations are often launched at night, when penetrations in many cases take more time to detect. This compounds the difficulty of rapidly marshalling and coordinating a qualified mitigation team.

Progent has a variety of services for securing businesses from ransomware penetrations. These include user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with AI technology from SentinelOne to discover and suppress new cyber attacks intelligently. Progent in addition provides the services of expert ransomware recovery engineers with the skills and perseverance to reconstruct a compromised system as rapidly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decipher any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to re-install the key elements of your Information Technology environment. Without the availability of full system backups, this requires a wide range of skill sets, well-coordinated team management, and the ability to work non-stop until the job is over.

For two decades, Progent has provided professional Information Technology services for companies in Fort Myers and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise provides Progent the skills to quickly determine important systems and integrate the remaining components of your computer network environment following a ransomware attack and configure them into a functioning system.

Progent's recovery team has top notch project management systems to orchestrate the complicated recovery process. Progent understands the urgency of working quickly and together with a client's management and IT team members to prioritize tasks and to get critical systems back on-line as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Virus Response
A client sought out Progent after their network was attacked by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored hackers, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk goes after specific companies with little tolerance for operational disruption and is one of the most profitable instances of ransomware malware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk event had brought down all essential operations and manufacturing capabilities. Most of the client's backups had been online at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (more than $200,000) and praying for the best, but ultimately brought in Progent.


"I cannot thank you enough about the support Progent provided us throughout the most critical period of (our) company's life. We would have paid the hackers behind this attack except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and essential servers back online sooner than five days was something I thought impossible. Each consultant I talked with or messaged at Progent was absolutely committed on getting our company operational and was working day and night to bail us out."

Progent worked together with the client to rapidly get our arms around and assign priority to the mission critical systems that had to be restored to make it possible to resume company functions:

  • Microsoft Active Directory
  • E-Mail
  • MRP System
To begin, Progent followed AV/Malware Processes penetration mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then began the steps of recovering Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the businesses' financials and MRP applications used Microsoft SQL, which requires Active Directory for authentication to the databases.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then performed rebuilding and hard drive recovery on mission critical systems. All Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to locate local OST files (Outlook Off-Line Folder Files) on various desktop computers to recover email messages. A recent offline backup of the businesses financials/ERP software made them able to restore these vital programs back on-line. Although significant work was left to recover fully from the Ryuk event, critical services were recovered quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer sales."

Over the following couple of weeks important milestones in the restoration project were accomplished through close collaboration between Progent consultants and the customer:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Exchange Server containing more than four million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% restored.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the desktop computers were operational.

"A lot of what was accomplished in the initial days is nearly entirely a blur for me, but our team will not soon forget the dedication each and every one of you accomplished to give us our company back. I have been working with Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A likely company-ending catastrophe was avoided due to top-tier experts, a wide spectrum of technical expertise, and tight collaboration. Although upon completion of forensics the ransomware virus penetration described here would have been identified and disabled with modern security solutions and recognized best practices, user education, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thanks very much for making it so I could get some sleep after we made it past the first week. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Fort Myers a variety of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence technology to uncover zero-day variants of crypto-ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to address the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device control, and web filtering via leading-edge tools packaged within one agent accessible from a single control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you prove compliance with legal and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services, a selection of offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your backup processes and allow transparent backup and fast restoration of vital files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security companies to deliver web-based control and world-class protection for your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further level of inspection for inbound email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, track, optimize and debug their connectivity hardware like routers, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that require important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your network operating efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent consultant so any looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior analysis tools to guard endpoints as well as physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching AV tools. Progent ASM services protect local and cloud-based resources and provides a unified platform to address the entire threat lifecycle including filtering, detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Center: Support Desk Managed Services
    Progent's Support Desk managed services permit your information technology staff to outsource Call Center services to Progent or divide activity for Service Desk support transparently between your internal support staff and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your in-house IT support group. Client access to the Service Desk, provision of support services, escalation, trouble ticket creation and updates, performance measurement, and maintenance of the service database are cohesive regardless of whether issues are resolved by your in-house IT support resources, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of any size a flexible and affordable alternative for assessing, validating, scheduling, applying, and documenting updates to your dynamic information system. Besides optimizing the protection and reliability of your IT environment, Progent's patch management services free up time for your IT staff to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected application and enter your password you are asked to confirm your identity via a unit that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be used as this added means of authentication such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate several validation devices. For more information about Duo two-factor identity validation services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time and in-depth reporting utilities created to work with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Fort Myers 24/7 Ransomware Recovery Services, reach out to Progent at 800-462-8800 or go to Contact Progent.