Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that represents an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict harm. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus daily as yet unnamed malware, not only do encryption of online critical data but also infect any accessible system backup. Data synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can render any restore operations impossible and basically sets the network back to square one.

Recovering services and data following a ransomware attack becomes a sprint against the clock as the targeted organization fights to contain the damage and eradicate the virus and to restore business-critical activity. Because ransomware takes time to spread, assaults are often sprung during nights and weekends, when successful attacks may take longer to uncover. This multiplies the difficulty of rapidly marshalling and coordinating a qualified mitigation team.

Progent has a range of solutions for protecting businesses from ransomware attacks. Among these are staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security appliances with AI technology from SentinelOne to discover and extinguish zero-day cyber threats quickly. Progent in addition offers the assistance of experienced ransomware recovery consultants with the talent and perseverance to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Recovery Support Services
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the needed keys to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the mission-critical components of your IT environment. Absent the availability of full data backups, this calls for a broad complement of skill sets, well-coordinated team management, and the capability to work non-stop until the recovery project is done.

For twenty years, Progent has made available expert IT services for companies in Hialeah and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise gives Progent the ability to quickly ascertain critical systems and consolidate the remaining pieces of your computer network environment after a crypto-ransomware penetration and assemble them into an operational network.

Progent's recovery team of experts utilizes powerful project management systems to coordinate the complicated restoration process. Progent knows the urgency of acting rapidly and together with a customer's management and Information Technology team members to assign priority to tasks and to put essential systems back on line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A client escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored criminal gangs, suspected of using techniques leaked from America's NSA organization. Ryuk goes after specific companies with limited tolerance for disruption and is among the most lucrative examples of crypto-ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has around 500 workers. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200K) and hoping for good luck, but in the end called Progent.


"I cannot say enough in regards to the care Progent provided us during the most critical period of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent experts gave us. The fact that you could get our e-mail system and essential servers back into operation in less than five days was something I thought impossible. Every single staff member I spoke to or e-mailed at Progent was totally committed on getting our company operational and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly understand and assign priority to the mission critical elements that had to be addressed to make it possible to resume departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • MRP System
To begin, Progent adhered to ransomware incident mitigation best practices by stopping the spread and removing active viruses. Progent then started the steps of recovering Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which requires Windows AD for access to the data.

Within 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed rebuilding and storage recovery on mission critical systems. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers and laptops in order to recover email messages. A not too old offline backup of the client's financials/MRP systems made it possible to restore these required applications back online. Although a large amount of work still had to be done to recover totally from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the production line operation was never shut down and we did not miss any customer orders."

Throughout the next few weeks critical milestones in the restoration project were accomplished in tight collaboration between Progent engineers and the client:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto 850 firewall was brought on-line.
  • Most of the user PCs were operational.

"A huge amount of what transpired in the initial days is mostly a haze for me, but our team will not soon forget the commitment each and every one of you accomplished to help get our company back. I've been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was the most impressive ever."

Conclusion
A possible business disaster was avoided by dedicated professionals, a broad array of technical expertise, and close collaboration. Although in post mortem the crypto-ransomware penetration detailed here would have been prevented with advanced cyber security solutions and ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), I'm grateful for making it so I could get some sleep after we got over the initial fire. All of you did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Hialeah a range of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation AI technology to uncover new strains of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the entire malware attack progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge tools packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with legal and industry data protection regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology companies to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and track your data backup processes and allow non-disruptive backup and rapid recovery of critical files/folders, apps, system images, and virtual machines. ProSight DPS helps you recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, human error, malicious insiders, or software bugs. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide web-based management and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard combines cloud-based filtering with a local gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration of virtually all devices on your network, monitors performance, and sends notices when issues are detected. By automating tedious network management processes, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, finding appliances that require critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your network running at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT personnel and your assigned Progent consultant so any potential problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hardware solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis tools to defend endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. Progent ASM services protect on-premises and cloud resources and offers a unified platform to address the entire malware attack progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Call Desk services permit your IT team to offload Help Desk services to Progent or divide activity for support services seamlessly between your in-house network support team and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your in-house network support group. End user access to the Help Desk, delivery of support, issue escalation, ticket generation and tracking, performance measurement, and maintenance of the service database are cohesive whether issues are taken care of by your internal IT support staff, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a versatile and affordable solution for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving information system. In addition to maximizing the protection and reliability of your IT network, Progent's software/firmware update management services allow your IT team to concentrate on more strategic initiatives and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to defend against password theft by using two-factor authentication. Duo supports single-tap identity confirmation on iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a secured application and give your password you are requested to verify who you are on a unit that only you have and that is accessed using a separate network channel. A wide selection of out-of-band devices can be utilized for this added form of authentication such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate multiple verification devices. To find out more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of in-depth management reporting utilities created to work with the industry's leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Hialeah 24x7 Crypto-Ransomware Removal Help, reach out to Progent at 800-462-8800 or go to Contact Progent.