Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that represents an enterprise-level threat for businesses poorly prepared for an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict destruction. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as daily as yet unnamed malware, not only encrypt online information but also infect many accessible system protection. Files replicated to the cloud can also be encrypted. In a vulnerable environment, it can render any restore operations hopeless and effectively knocks the network back to zero.

Getting back services and data after a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to contain and eradicate the virus and to resume mission-critical activity. Because ransomware takes time to spread, attacks are frequently launched on weekends and holidays, when successful attacks in many cases take longer to discover. This multiplies the difficulty of rapidly assembling and organizing a qualified mitigation team.

Progent provides a range of solutions for protecting enterprises from ransomware events. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with machine learning technology from SentinelOne to detect and suppress day-zero cyber threats rapidly. Progent in addition provides the services of expert crypto-ransomware recovery professionals with the track record and commitment to re-deploy a breached system as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to decrypt any of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the mission-critical parts of your IT environment. Absent access to essential data backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work continuously until the recovery project is complete.

For twenty years, Progent has provided professional Information Technology services for companies in Des Moines and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the skills to rapidly ascertain critical systems and consolidate the surviving pieces of your IT environment following a ransomware event and rebuild them into an operational network.

Progent's recovery team of experts utilizes best of breed project management tools to coordinate the sophisticated restoration process. Progent knows the urgency of working rapidly and in concert with a client's management and IT resources to prioritize tasks and to get key systems back online as soon as humanly possible.

Customer Story: A Successful Ransomware Attack Recovery
A customer escalated to Progent after their network was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, suspected of adopting strategies exposed from the United States NSA organization. Ryuk targets specific businesses with limited room for disruption and is one of the most profitable versions of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has around 500 staff members. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200K) and hoping for the best, but ultimately engaged Progent.


"I cannot say enough in regards to the care Progent provided us throughout the most stressful time of (our) businesses life. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. The fact that you could get our messaging and essential servers back on-line in less than a week was incredible. Each consultant I worked with or messaged at Progent was amazingly focused on getting us operational and was working at all hours on our behalf."

Progent worked with the client to rapidly assess and assign priority to the critical services that had to be recovered to make it possible to restart business operations:

  • Windows Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the process of bringing back online Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' MRP software used Microsoft SQL, which depends on Active Directory for authentication to the databases.

Within two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then initiated reinstallations and hard drive recovery of the most important systems. All Exchange schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to collect local OST files (Outlook Offline Data Files) on various PCs in order to recover mail messages. A recent off-line backup of the businesses financials/MRP systems made it possible to restore these required programs back servicing users. Although a lot of work was left to recover fully from the Ryuk attack, critical services were returned to operations rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we made all customer orders."

During the following month important milestones in the restoration process were completed in close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were fully operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the user desktops were being used by staff.

"Much of what went on during the initial response is mostly a haze for me, but we will not forget the care all of the team accomplished to help get our company back. I've trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was the most impressive ever."

Conclusion
A likely company-ending catastrophe was evaded by dedicated experts, a wide array of knowledge, and close teamwork. Although upon completion of forensics the crypto-ransomware penetration detailed here could have been prevented with up-to-date security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well designed security procedures for backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, remember that Progent's team of experts has substantial experience in crypto-ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get some sleep after we got over the initial fire. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Des Moines a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to detect zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the entire malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your company's unique needs and that allows you demonstrate compliance with legal and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also assist you to install and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and enable transparent backup and fast restoration of important files/folders, apps, system images, and VMs. ProSight DPS lets you avoid data loss resulting from hardware failures, natural calamities, fire, malware such as ransomware, human mistakes, malicious insiders, or software glitches. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security vendors to deliver centralized control and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper level of analysis for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, track, optimize and troubleshoot their networking hardware such as switches, firewalls, and load balancers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, finding appliances that require important updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior analysis tools to guard endpoint devices as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a unified platform to automate the complete threat progression including filtering, detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Call Center services enable your information technology team to offload Support Desk services to Progent or divide activity for support services transparently between your internal support group and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth extension of your internal IT support staff. End user interaction with the Help Desk, delivery of support services, issue escalation, ticket generation and tracking, efficiency metrics, and maintenance of the support database are consistent regardless of whether issues are resolved by your corporate IT support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of any size a flexible and affordable alternative for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving IT system. In addition to maximizing the security and functionality of your IT network, Progent's software/firmware update management services allow your IT team to focus on more strategic projects and tasks that deliver the highest business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo supports single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and enter your password you are asked to verify your identity on a device that only you possess and that uses a separate network channel. A wide selection of devices can be utilized for this second form of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple verification devices. For details about ProSight Duo identity authentication services, refer to Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting tools designed to integrate with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Des Moines Ransomware Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.