Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that poses an existential danger for organizations poorly prepared for an attack. Different versions of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for years and continue to cause destruction. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus daily as yet unnamed newcomers, not only do encryption of on-line critical data but also infect most configured system protection mechanisms. Files synched to cloud environments can also be rendered useless. In a vulnerable data protection solution, this can make any recovery hopeless and effectively sets the datacenter back to zero.

Getting back programs and data after a ransomware attack becomes a race against the clock as the targeted organization tries its best to contain the damage and eradicate the ransomware and to restore business-critical operations. Because ransomware requires time to spread, assaults are usually launched at night, when successful penetrations are likely to take longer to notice. This compounds the difficulty of promptly assembling and organizing a capable mitigation team.

Progent has a range of solutions for protecting enterprises from crypto-ransomware penetrations. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence technology from SentinelOne to discover and disable day-zero cyber attacks rapidly. Progent in addition offers the assistance of veteran ransomware recovery engineers with the track record and commitment to restore a breached environment as rapidly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware event, even paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the keys to unencrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the key components of your IT environment. Without access to complete data backups, this calls for a wide complement of skill sets, professional project management, and the ability to work non-stop until the task is complete.

For twenty years, Progent has made available professional IT services for companies in Glendale and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to efficiently identify critical systems and integrate the surviving parts of your Information Technology environment following a ransomware penetration and rebuild them into an operational network.

Progent's ransomware team uses state-of-the-art project management systems to orchestrate the complex recovery process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get key applications back online as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Response
A client escalated to Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, possibly using strategies leaked from the U.S. NSA organization. Ryuk targets specific companies with limited tolerance for operational disruption and is one of the most lucrative examples of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago with about 500 workers. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were destroyed. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.


"I cannot thank you enough about the care Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent experts provided us. The fact that you were able to get our messaging and key applications back into operation sooner than five days was beyond my wildest dreams. Each expert I got help from or texted at Progent was urgently focused on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly understand and assign priority to the essential areas that needed to be recovered to make it possible to continue business operations:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware penetration mitigation best practices by isolating and clearing up compromised systems. Progent then started the process of bringing back online Microsoft Active Directory, the core of enterprise environments built upon Microsoft technology. Exchange email will not work without Active Directory, and the businesses' MRP system leveraged Microsoft SQL, which needs Active Directory services for authentication to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery of needed applications. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Folder Files) on user desktop computers in order to recover email messages. A recent offline backup of the client's manufacturing software made them able to recover these vital applications back on-line. Although a lot of work remained to recover totally from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the assembly line operation survived unscathed and we made all customer orders."

Over the following couple of weeks important milestones in the recovery project were completed through tight cooperation between Progent engineers and the customer:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100% functional.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the user desktops and notebooks were back into operation.

"A lot of what happened that first week is mostly a blur for me, but my team will not soon forget the countless hours each and every one of your team accomplished to give us our company back. I've been working with Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely company-ending catastrophe was averted by top-tier experts, a wide range of knowledge, and close teamwork. Although in retrospect the ransomware attack detailed here could have been identified and blocked with modern cyber security technology and NIST Cybersecurity Framework best practices, team training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I'm grateful for allowing me to get rested after we got past the most critical parts. Everyone did an incredible job, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Glendale a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning capability to uncover zero-day variants of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to address the entire malware attack progression including blocking, infiltration detection, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you prove compliance with government and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software companies to create ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products manage and track your backup processes and allow transparent backup and fast restoration of vital files/folders, apps, system images, plus virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or software bugs. Managed backup services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security companies to deliver centralized control and comprehensive protection for all your email traffic. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, track, reconfigure and debug their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming network management activities, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that require critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis tools to defend endpoint devices as well as physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based AV tools. Progent ASM services protect local and cloud resources and provides a single platform to automate the complete threat progression including protection, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Center: Support Desk Managed Services
    Progent's Call Center services permit your IT staff to outsource Support Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support group and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth extension of your in-house IT support resources. End user access to the Help Desk, provision of technical assistance, problem escalation, ticket generation and updates, efficiency metrics, and management of the support database are consistent regardless of whether incidents are resolved by your internal support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide businesses of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information network. In addition to optimizing the protection and functionality of your computer network, Progent's software/firmware update management services permit your in-house IT staff to concentrate on line-of-business initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo enables one-tap identity confirmation with iOS, Android, and other personal devices. Using Duo 2FA, when you log into a secured online account and enter your password you are asked to verify your identity on a device that only you have and that is accessed using a different network channel. A wide range of devices can be used for this added form of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You can designate several verification devices. For details about Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth management reporting utilities designed to integrate with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Glendale 24/7 Crypto-Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.