Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses of all sizes unprepared for an attack. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still cause damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus frequent unnamed malware, not only encrypt online critical data but also infiltrate any available system backup. Files synched to the cloud can also be corrupted. In a poorly architected data protection solution, it can make automatic recovery impossible and effectively knocks the network back to square one.

Getting back online programs and information after a crypto-ransomware event becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to resume enterprise-critical activity. Because ransomware takes time to replicate, attacks are usually sprung on weekends and holidays, when penetrations typically take longer to identify. This compounds the difficulty of rapidly assembling and organizing a capable mitigation team.

Progent makes available a range of help services for securing enterprises from ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with artificial intelligence technology from SentinelOne to discover and suppress day-zero threats quickly. Progent also offers the services of experienced ransomware recovery professionals with the track record and commitment to restore a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the codes to unencrypt any of your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the key components of your IT environment. Absent access to complete information backups, this calls for a broad complement of skill sets, well-coordinated team management, and the willingness to work non-stop until the job is completed.

For two decades, Progent has made available expert IT services for companies in Fort Worth and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience affords Progent the skills to efficiently determine critical systems and organize the remaining components of your IT system after a ransomware penetration and rebuild them into an operational network.

Progent's ransomware team has best of breed project management tools to orchestrate the complicated recovery process. Progent knows the importance of working rapidly and together with a client's management and IT resources to assign priority to tasks and to get critical applications back on line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer sought out Progent after their network system was taken over by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, suspected of using strategies exposed from the U.S. NSA organization. Ryuk seeks specific businesses with little or no room for operational disruption and is one of the most profitable iterations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's information backups had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I can't tell you enough about the support Progent provided us during the most stressful period of (our) company's existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group provided us. The fact that you could get our e-mail system and important servers back into operation faster than 1 week was incredible. Every single expert I interacted with or communicated with at Progent was absolutely committed on getting us restored and was working 24/7 on our behalf."

Progent worked hand in hand the customer to rapidly identify and prioritize the key services that needed to be addressed in order to restart company functions:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent followed ransomware event mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then started the task of recovering Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange email will not function without AD, and the businesses' financials and MRP software used SQL Server, which requires Windows AD for authentication to the information.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery on the most important systems. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on staff desktop computers in order to recover mail information. A recent off-line backup of the businesses accounting software made it possible to return these essential applications back servicing users. Although a large amount of work remained to recover completely from the Ryuk attack, essential systems were returned to operations quickly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer deliverables."

Throughout the next month key milestones in the recovery process were achieved through close collaboration between Progent consultants and the customer:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server exceeding 4 million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were completely recovered.
  • A new Palo Alto 850 security appliance was installed.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"So much of what was accomplished in the early hours is mostly a haze for me, but our team will not forget the urgency all of your team put in to give us our business back. I've trusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible business extinction catastrophe was averted through the efforts of results-oriented professionals, a broad spectrum of IT skills, and tight collaboration. Although in post mortem the ransomware virus attack detailed here would have been stopped with current cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate security procedures for backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), I'm grateful for letting me get some sleep after we made it over the initial push. All of you did an amazing job, and if anyone that helped is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Fort Worth a range of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize modern AI technology to detect new variants of ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to address the complete malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and allow transparent backup and rapid restoration of important files/folders, applications, system images, plus virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, user error, ill-intentioned insiders, or software bugs. Managed backup services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security companies to provide web-based management and comprehensive security for your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further layer of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity hardware like switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when problems are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, locating devices that need important software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so all potential issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the system is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning tools to defend endpoints and servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-matching AV products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Call Desk services permit your IT team to outsource Call Center services to Progent or split activity for Help Desk services seamlessly between your internal network support team and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent extension of your in-house network support staff. Client access to the Help Desk, provision of support services, escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are consistent regardless of whether issues are resolved by your in-house IT support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. In addition to optimizing the security and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected online account and give your password you are requested to confirm who you are on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be used for this second form of ID validation such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register several verification devices. To find out more about Duo two-factor identity validation services, visit Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth management reporting utilities created to work with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7 Fort Worth CryptoLocker Remediation Consulting, call Progent at 800-462-8800 or go to Contact Progent.