Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that poses an enterprise-level danger for businesses poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as frequent as yet unnamed viruses, not only encrypt on-line files but also infect most available system protection. Information replicated to the cloud can also be corrupted. In a poorly designed data protection solution, this can make automatic recovery hopeless and basically knocks the network back to square one.

Restoring programs and data following a ransomware outage becomes a sprint against time as the targeted business fights to stop the spread and remove the crypto-ransomware and to resume mission-critical operations. Since ransomware requires time to move laterally, assaults are frequently sprung on weekends, when penetrations typically take more time to detect. This multiplies the difficulty of quickly marshalling and organizing a capable response team.

Progent provides an assortment of support services for protecting businesses from ransomware events. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence technology from SentinelOne to discover and suppress day-zero threats automatically. Progent in addition provides the assistance of seasoned ransomware recovery professionals with the track record and commitment to re-deploy a compromised network as soon as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decrypt any or all of your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the critical elements of your Information Technology environment. Without access to essential data backups, this requires a broad complement of IT skills, professional project management, and the willingness to work continuously until the recovery project is finished.

For decades, Progent has offered expert Information Technology services for businesses in Hartford and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience gives Progent the skills to rapidly understand critical systems and re-organize the remaining pieces of your network environment following a ransomware event and configure them into an operational system.

Progent's ransomware group uses powerful project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of acting quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get critical services back on line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer engaged Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, possibly using strategies exposed from America's National Security Agency. Ryuk seeks specific organizations with little tolerance for disruption and is one of the most profitable examples of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I cannot speak enough about the support Progent gave us throughout the most critical period of (our) company's survival. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent experts provided us. The fact that you were able to get our messaging and critical servers back into operation faster than seven days was something I thought impossible. Every single consultant I spoke to or e-mailed at Progent was totally committed on getting us back on-line and was working at all hours to bail us out."

Progent worked with the client to quickly understand and assign priority to the key services that had to be restored to make it possible to restart company operations:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus penetration response industry best practices by stopping the spread and removing active viruses. Progent then began the steps of bringing back online Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange messaging will not function without Active Directory, and the client's financials and MRP software leveraged SQL Server, which requires Active Directory services for authentication to the information.

Within two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then accomplished setup and hard drive recovery on critical applications. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Data Files) on staff desktop computers and laptops to recover mail messages. A not too old off-line backup of the customer's accounting/MRP systems made them able to restore these essential programs back servicing users. Although significant work needed to be completed to recover totally from the Ryuk virus, essential services were returned to operations quickly:


"For the most part, the production operation showed little impact and we did not miss any customer deliverables."

Throughout the following couple of weeks key milestones in the recovery process were made through tight cooperation between Progent engineers and the customer:

  • In-house web sites were restored with no loss of data.
  • The MailStore Exchange Server exceeding 4 million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were 100% operational.
  • A new Palo Alto 850 firewall was brought on-line.
  • Nearly all of the desktops and laptops were fully operational.

"A huge amount of what went on in the early hours is nearly entirely a blur for me, but I will not forget the commitment all of you put in to help get our company back. I've been working together with Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible enterprise-killing catastrophe was averted by dedicated professionals, a wide spectrum of technical expertise, and close teamwork. Although in hindsight the ransomware virus attack detailed here should have been identified and blocked with up-to-date cyber security technology solutions and security best practices, user education, and well designed security procedures for data protection and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for allowing me to get some sleep after we made it past the initial fire. All of you did an fabulous job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Hartford a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence capability to detect zero-day strains of crypto-ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to address the complete threat progression including filtering, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and allow non-disruptive backup and fast restoration of vital files, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss resulting from hardware failures, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or software bugs. Managed backup services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to provide web-based management and world-class security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of inspection for incoming email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, track, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network maps are always updated, captures and displays the configuration of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating tedious management activities, WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that need important updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT staff and your Progent consultant so all looming issues can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based machine learning technology to guard endpoint devices and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-based AV products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Support Desk services allow your IT group to outsource Support Desk services to Progent or divide activity for Help Desk services transparently between your internal support team and Progent's extensive roster of certified IT service engineers and subject matter experts. Progent's Shared Service Desk offers a seamless supplement to your internal support organization. Client access to the Service Desk, provision of support, problem escalation, ticket creation and updates, efficiency measurement, and management of the support database are consistent whether incidents are resolved by your corporate support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. Besides maximizing the security and functionality of your computer network, Progent's patch management services permit your IT team to concentrate on more strategic projects and tasks that derive maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using 2FA, when you sign into a protected online account and give your password you are requested to verify your identity on a unit that only you possess and that is accessed using a different network channel. A wide range of out-of-band devices can be utilized as this second means of ID validation including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You can register multiple validation devices. For more information about ProSight Duo identity authentication services, visit Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time and in-depth reporting tools designed to work with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Hartford 24-7 CryptoLocker Repair Support Services, call Progent at 800-462-8800 or go to Contact Progent.