Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that poses an existential danger for businesses vulnerable to an assault. Different versions of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict destruction. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with frequent as yet unnamed viruses, not only do encryption of online information but also infect most accessible system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, it can make automated restore operations useless and basically sets the entire system back to square one.

Restoring applications and data following a ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and remove the crypto-ransomware and to resume mission-critical activity. Since ransomware takes time to move laterally, assaults are usually launched on weekends, when successful penetrations may take longer to discover. This multiplies the difficulty of promptly marshalling and organizing a knowledgeable mitigation team.

Progent makes available a range of solutions for securing organizations from ransomware penetrations. Among these are team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with AI technology from SentinelOne to detect and suppress day-zero threats quickly. Progent also can provide the services of expert ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the needed keys to decipher any or all of your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the critical elements of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide complement of IT skills, well-coordinated project management, and the capability to work non-stop until the recovery project is over.

For twenty years, Progent has provided professional IT services for companies in Harrisburg and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise affords Progent the skills to knowledgably determine critical systems and organize the remaining components of your Information Technology environment after a ransomware event and rebuild them into a functioning system.

Progent's ransomware group deploys best of breed project management tools to coordinate the sophisticated recovery process. Progent appreciates the urgency of working quickly and in unison with a customer's management and IT staff to assign priority to tasks and to get the most important systems back on line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Restoration
A client sought out Progent after their network system was penetrated by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored hackers, suspected of using strategies leaked from the United States National Security Agency. Ryuk goes after specific organizations with limited ability to sustain disruption and is one of the most profitable iterations of ransomware viruses. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in the Chicago metro area and has around 500 employees. The Ryuk attack had disabled all business operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately reached out to Progent.


"I can't say enough in regards to the help Progent gave us during the most critical time of (our) businesses existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent experts provided us. The fact that you were able to get our messaging and important servers back into operation quicker than a week was incredible. Every single person I spoke to or e-mailed at Progent was urgently focused on getting us working again and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly assess and assign priority to the mission critical elements that needed to be restored to make it possible to continue company operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent adhered to Anti-virus penetration response industry best practices by stopping lateral movement and removing active viruses. Progent then started the task of rebuilding Microsoft Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without AD, and the client's accounting and MRP software used SQL Server, which requires Windows AD for authentication to the database.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then helped perform reinstallations and storage recovery on needed systems. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user workstations to recover email messages. A not too old offline backup of the client's financials/MRP software made it possible to return these vital programs back on-line. Although a large amount of work remained to recover completely from the Ryuk attack, the most important services were returned to operations quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer shipments."

Over the following month key milestones in the recovery project were completed through close cooperation between Progent engineers and the client:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100% restored.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user desktops and notebooks were operational.

"Much of what happened that first week is mostly a blur for me, but I will not forget the countless hours each and every one of you accomplished to give us our business back. I've trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A likely business-ending disaster was dodged by hard-working professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware incident detailed here would have been prevented with modern cyber security solutions and security best practices, user and IT administrator training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for making it so I could get rested after we made it past the most critical parts. Everyone did an impressive effort, and if anyone is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Harrisburg a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI capability to uncover new strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to address the complete threat progression including protection, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a single control. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent action. Progent's consultants can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup software providers to create ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and allow transparent backup and fast restoration of important files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from equipment breakdown, natural calamities, fire, malware such as ransomware, human mistakes, malicious employees, or software bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security vendors to provide centralized management and world-class security for your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps most threats from making it to your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, optimize and debug their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept current, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that need important updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT personnel and your assigned Progent consultant so that all looming problems can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior machine learning tools to guard endpoints and servers and VMs against new malware assaults like ransomware and email phishing, which easily get by traditional signature-based AV products. Progent ASM services protect on-premises and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Center: Call Center Managed Services
    Progent's Support Center managed services enable your IT staff to offload Call Center services to Progent or divide activity for support services transparently between your in-house network support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless supplement to your in-house network support organization. Client access to the Service Desk, provision of technical assistance, issue escalation, trouble ticket creation and tracking, efficiency measurement, and management of the service database are consistent regardless of whether issues are resolved by your corporate support organization, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving IT system. Besides maximizing the security and reliability of your computer environment, Progent's patch management services permit your IT team to focus on line-of-business initiatives and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Android, and other personal devices. With Duo 2FA, when you log into a protected online account and give your password you are asked to verify who you are via a unit that only you have and that uses a different ("out-of-band") network channel. A wide range of devices can be utilized as this second form of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate several verification devices. To learn more about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of in-depth management reporting tools created to work with the industry's top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Harrisburg 24x7x365 Ransomware Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.