Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for businesses poorly prepared for an assault. Different iterations of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict destruction. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with additional unnamed malware, not only encrypt online data but also infiltrate all accessible system backup. Data replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed system, this can render any restore operations hopeless and basically sets the network back to square one.

Getting back on-line applications and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to stop the spread and remove the crypto-ransomware and to restore business-critical operations. Due to the fact that ransomware takes time to move laterally, assaults are frequently sprung during weekends and nights, when penetrations in many cases take more time to uncover. This compounds the difficulty of rapidly mobilizing and coordinating an experienced response team.

Progent has a variety of solutions for protecting enterprises from ransomware attacks. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security solutions with machine learning capabilities from SentinelOne to detect and quarantine zero-day cyber threats intelligently. Progent also can provide the assistance of seasoned ransomware recovery consultants with the talent and commitment to rebuild a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to unencrypt all your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the critical components of your IT environment. Absent the availability of complete data backups, this requires a broad range of IT skills, well-coordinated team management, and the capability to work continuously until the job is finished.

For decades, Progent has offered certified expert IT services for businesses in Grand Rapids and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of experience provides Progent the capability to efficiently identify important systems and re-organize the remaining parts of your IT system following a ransomware event and rebuild them into an operational network.

Progent's security team of experts uses state-of-the-art project management tools to orchestrate the complicated restoration process. Progent knows the urgency of acting rapidly and in concert with a customer's management and IT resources to prioritize tasks and to get critical systems back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business sought out Progent after their company was attacked by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state hackers, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little room for operational disruption and is among the most lucrative iterations of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago and has around 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately engaged Progent.


"I can't speak enough in regards to the help Progent gave us throughout the most stressful time of (our) company's life. We had little choice but to pay the criminal gangs if not for the confidence the Progent group gave us. The fact that you could get our e-mail and critical servers back online quicker than five days was something I thought impossible. Each staff member I talked with or e-mailed at Progent was urgently focused on getting us restored and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly determine and assign priority to the critical areas that needed to be addressed to make it possible to resume departmental functions:

  • Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes event response industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the process of restoring Microsoft AD, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the customer's financials and MRP applications used SQL Server, which needs Active Directory services for access to the database.

Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then performed rebuilding and hard drive recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Email Offline Data Files) on team PCs and laptops to recover email data. A recent offline backup of the customer's financials/ERP software made them able to restore these required programs back available to users. Although a large amount of work was left to recover totally from the Ryuk attack, critical systems were restored quickly:


"For the most part, the assembly line operation did not miss a beat and we made all customer orders."

Over the next couple of weeks key milestones in the restoration project were achieved in tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Exchange Server with over 4 million archived messages was spun up and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • 90% of the user PCs were fully operational.

"So much of what happened in the early hours is nearly entirely a blur for me, but my management will not soon forget the countless hours each of you accomplished to help get our business back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible enterprise-killing disaster was averted with dedicated experts, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware penetration detailed here could have been stopped with up-to-date security systems and best practices, team education, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get rested after we got past the first week. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Grand Rapids a variety of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include next-generation artificial intelligence capability to detect new variants of crypto-ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to address the entire threat lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP environment that meets your organization's unique needs and that helps you prove compliance with legal and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent attention. Progent can also assist your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup software companies to create ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup processes and allow non-disruptive backup and rapid restoration of vital files/folders, apps, system images, and VMs. ProSight DPS lets you protect against data loss caused by equipment failures, natural disasters, fire, malware like ransomware, human error, malicious insiders, or application bugs. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security companies to provide centralized management and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a deeper layer of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map out, monitor, optimize and debug their networking appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating time-consuming management processes, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding devices that need critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hosting solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis tools to guard endpoints and servers and VMs against modern malware assaults such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to automate the complete malware attack progression including filtering, detection, containment, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Support Desk managed services enable your IT group to offload Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your internal network support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your corporate network support team. Client access to the Service Desk, delivery of support, issue escalation, trouble ticket generation and tracking, performance metrics, and management of the support database are consistent regardless of whether incidents are taken care of by your core support group, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a flexible and affordable solution for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information network. Besides optimizing the protection and functionality of your IT network, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business initiatives and activities that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a secured online account and enter your password you are asked to confirm your identity via a unit that only you have and that is accessed using a separate network channel. A broad range of devices can be utilized for this added form of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate several validation devices. For details about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time and in-depth reporting utilities designed to work with the industry's top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-Hour Grand Rapids Ransomware Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.