Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an existential danger for organizations unprepared for an attack. Different versions of ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus additional as yet unnamed viruses, not only encrypt online data but also infect many available system backup. Data synchronized to off-site disaster recovery sites can also be held hostage. In a poorly designed system, it can make automated restore operations impossible and effectively knocks the entire system back to square one.

Recovering applications and information following a ransomware intrusion becomes a race against the clock as the victim tries its best to stop lateral movement, clear the ransomware, and resume business-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are usually sprung at night, when attacks tend to take longer to uncover. This multiplies the difficulty of quickly assembling and orchestrating a knowledgeable response team.

Progent makes available an assortment of services for securing enterprises from ransomware attacks. These include user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with artificial intelligence technology from SentinelOne to discover and quarantine new cyber threats automatically. Progent also offers the assistance of seasoned ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will return the codes to decrypt all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The fallback is to setup from scratch the essential elements of your Information Technology environment. Without access to essential information backups, this calls for a wide range of IT skills, professional project management, and the willingness to work 24x7 until the recovery project is done.

For decades, Progent has offered certified expert IT services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience affords Progent the capability to rapidly understand important systems and consolidate the remaining components of your network environment after a crypto-ransomware penetration and assemble them into a functioning network.

Progent's ransomware group uses best of breed project management applications to orchestrate the complex restoration process. Progent knows the importance of acting quickly and in unison with a client's management and IT resources to prioritize tasks and to put critical services back on line as fast as possible.

Customer Story: A Successful Ransomware Penetration Response
A client escalated to Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored hackers, suspected of adopting technology exposed from America's National Security Agency. Ryuk goes after specific companies with little or no ability to sustain operational disruption and is among the most profitable instances of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had brought down all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the attack and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and hoping for good luck, but ultimately utilized Progent.


"I can't say enough about the help Progent gave us throughout the most fearful time of (our) company's existence. We had little choice but to pay the Hackers if it wasn't for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and critical applications back online faster than five days was earth shattering. Each staff member I talked with or texted at Progent was totally committed on getting us back online and was working all day and night to bail us out."

Progent worked with the client to rapidly get our arms around and prioritize the critical services that had to be restored in order to continue company operations:

  • Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent adhered to ransomware incident mitigation best practices by stopping the spread and clearing infected systems. Progent then started the steps of restoring Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Exchange messaging will not function without Windows AD, and the customer's financials and MRP system leveraged SQL Server, which depends on Active Directory services for authentication to the data.

In less than two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then helped perform setup and hard drive recovery on mission critical systems. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on various desktop computers and laptops in order to recover email messages. A not too old offline backup of the customer's financials/ERP systems made it possible to restore these vital applications back servicing users. Although major work was left to recover completely from the Ryuk damage, critical systems were recovered rapidly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer orders."

Throughout the following month important milestones in the restoration project were achieved in close cooperation between Progent engineers and the customer:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto 850 firewall was installed.
  • Nearly all of the user desktops and notebooks were operational.

"So much of what happened that first week is mostly a blur for me, but my team will not soon forget the urgency each of you accomplished to give us our business back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This time was a life saver."

Conclusion
A potential business-killing catastrophe was avoided due to hard-working experts, a wide array of IT skills, and close collaboration. Although in post mortem the crypto-ransomware virus incident detailed here could have been identified and blocked with current cyber security systems and security best practices, team training, and well thought out security procedures for data protection and applying software patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got through the first week. All of you did an incredible effort, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Hayward a range of remote monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services include modern AI technology to uncover zero-day strains of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to automate the entire threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP environment that meets your organization's specific requirements and that helps you demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with advanced backup/restore software companies to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and track your data backup operations and allow non-disruptive backup and rapid restoration of critical files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, user error, malicious employees, or software bugs. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to provide web-based control and world-class protection for all your inbound and outbound email. The powerful structure of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of analysis for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, track, enhance and debug their networking appliances such as routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that need important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT management personnel and your assigned Progent consultant so any potential issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to guard endpoints as well as servers and VMs against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to automate the entire threat progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Call Center services enable your information technology group to outsource Call Center services to Progent or divide activity for support services transparently between your in-house support group and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your internal IT support team. User interaction with the Service Desk, delivery of technical assistance, problem escalation, trouble ticket creation and tracking, performance metrics, and management of the support database are cohesive regardless of whether incidents are taken care of by your core network support organization, by Progent, or both. Find out more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide businesses of any size a flexible and affordable solution for assessing, validating, scheduling, implementing, and documenting updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your IT network, Progent's patch management services free up time for your IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity verification with Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you sign into a secured online account and enter your password you are requested to verify your identity on a unit that only you have and that uses a different network channel. A wide selection of devices can be utilized as this added means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may register several verification devices. To find out more about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time reporting utilities created to integrate with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Hayward 24/7 Ransomware Recovery Services, reach out to Progent at 800-462-8800 or go to Contact Progent.