Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses unprepared for an assault. Multiple generations of ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus daily unnamed viruses, not only do encryption of on-line files but also infiltrate all configured system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make any restoration impossible and basically sets the network back to square one.

Getting back applications and information after a ransomware attack becomes a sprint against time as the victim struggles to contain and remove the ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware needs time to spread, attacks are frequently sprung on weekends, when successful attacks in many cases take more time to notice. This compounds the difficulty of promptly assembling and orchestrating an experienced mitigation team.

Progent has a range of support services for protecting organizations from ransomware attacks. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning capabilities from SentinelOne to discover and quarantine day-zero cyber attacks rapidly. Progent also offers the assistance of seasoned ransomware recovery professionals with the track record and commitment to reconstruct a breached system as urgently as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decipher all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to setup from scratch the vital parts of your Information Technology environment. Absent access to full information backups, this calls for a wide complement of skill sets, top notch team management, and the capability to work continuously until the recovery project is completed.

For two decades, Progent has provided expert Information Technology services for companies in Hayward and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise provides Progent the skills to rapidly determine necessary systems and organize the surviving pieces of your IT system following a crypto-ransomware event and assemble them into an operational system.

Progent's ransomware group has state-of-the-art project management tools to coordinate the complex recovery process. Progent understands the urgency of acting quickly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to get the most important services back online as fast as possible.

Customer Case Study: A Successful Ransomware Penetration Response
A client sought out Progent after their network was crashed by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, suspected of using technology exposed from the United States National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area and has about 500 staff members. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's system backups had been on-line at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end reached out to Progent.


"I can't say enough in regards to the care Progent provided us throughout the most stressful period of (our) company's life. We would have paid the Hackers if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail system and important servers back on-line faster than 1 week was earth shattering. Each person I spoke to or e-mailed at Progent was urgently focused on getting our system up and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly identify and prioritize the most important areas that had to be recovered in order to restart departmental functions:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the steps of recovering Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not operate without AD, and the businesses' MRP applications used SQL Server, which requires Active Directory for security authorization to the database.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then assisted with setup and hard drive recovery of key systems. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Email Off-Line Data Files) on user desktop computers in order to recover email information. A not too old offline backup of the client's accounting/MRP software made it possible to restore these essential applications back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, the most important services were restored quickly:


"For the most part, the production line operation showed little impact and we produced all customer shipments."

During the following few weeks important milestones in the recovery process were made in tight collaboration between Progent engineers and the customer:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100% recovered.
  • A new Palo Alto 850 security appliance was deployed.
  • Most of the desktop computers were fully operational.

"So much of what happened those first few days is mostly a haze for me, but my management will not soon forget the countless hours each and every one of your team accomplished to give us our company back. I've been working together with Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A probable business extinction disaster was evaded by results-oriented professionals, a broad array of IT skills, and close collaboration. Although in retrospect the ransomware incident described here should have been identified and disabled with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, user and IT administrator education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we got through the initial push. All of you did an amazing job, and if any of your team is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Hayward a range of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services utilize modern AI technology to uncover zero-day strains of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to automate the entire threat lifecycle including blocking, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools incorporated within one agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also help you to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service. ProSight DPS products manage and track your backup processes and allow non-disruptive backup and fast recovery of critical files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or application bugs. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security companies to deliver centralized control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the local gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off common chores like network mapping, expanding your network, finding devices that require important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management technology to help keep your network operating at peak levels by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT personnel and your Progent consultant so any potential problems can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based machine learning technology to defend endpoints as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily evade legacy signature-based AV products. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to manage the complete malware attack progression including protection, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Call Center Managed Services
    Progent's Support Desk managed services permit your information technology staff to outsource Help Desk services to Progent or split activity for support services seamlessly between your in-house support group and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless supplement to your corporate network support staff. End user access to the Service Desk, provision of support services, problem escalation, trouble ticket generation and updates, performance measurement, and management of the support database are cohesive regardless of whether incidents are resolved by your internal network support staff, by Progent, or both. Read more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a versatile and affordable solution for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and functionality of your IT network, Progent's software/firmware update management services free up time for your IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you log into a secured application and enter your password you are requested to confirm who you are via a unit that only you have and that uses a separate network channel. A broad selection of devices can be used for this added means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate several validation devices. To learn more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time and in-depth management reporting utilities created to integrate with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Hayward Ransomware Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.