Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an attack. Versions of ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause harm. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus frequent unnamed viruses, not only encrypt online files but also infiltrate all available system backup. Files synchronized to the cloud can also be encrypted. In a poorly architected environment, it can make automatic restoration impossible and effectively knocks the network back to square one.

Getting back online services and information following a ransomware attack becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement, clear the ransomware, and resume enterprise-critical operations. Due to the fact that ransomware needs time to replicate, attacks are usually sprung during nights and weekends, when penetrations in many cases take longer to discover. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced mitigation team.

Progent offers an assortment of solutions for protecting organizations from ransomware attacks. These include staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with artificial intelligence capabilities from SentinelOne to detect and quarantine new cyber threats quickly. Progent also can provide the services of expert crypto-ransomware recovery engineers with the track record and commitment to restore a compromised system as urgently as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware event, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the keys to unencrypt all your information. Kaspersky determined that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom can reach millions of dollars. The fallback is to setup from scratch the mission-critical parts of your IT environment. Without access to complete data backups, this requires a wide complement of skill sets, well-coordinated project management, and the willingness to work 24x7 until the job is over.

For decades, Progent has made available expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise gives Progent the capability to efficiently understand critical systems and re-organize the remaining components of your IT system after a crypto-ransomware penetration and rebuild them into a functioning network.

Progent's recovery group has state-of-the-art project management applications to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and IT team members to assign priority to tasks and to put critical services back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Penetration Response
A client escalated to Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state hackers, possibly using techniques exposed from the U.S. National Security Agency. Ryuk attacks specific companies with little or no room for disruption and is among the most lucrative examples of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had disabled all company operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end made the decision to use Progent.


"I can't thank you enough about the expertise Progent provided us during the most fearful time of (our) company's survival. We may have had to pay the Hackers except for the confidence the Progent experts gave us. The fact that you were able to get our messaging and critical applications back in less than a week was incredible. Every single consultant I talked with or communicated with at Progent was laser focused on getting us restored and was working day and night on our behalf."

Progent worked hand in hand the client to quickly determine and assign priority to the essential systems that had to be restored to make it possible to continue departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus event response best practices by isolating and performing virus removal steps. Progent then began the steps of rebuilding Windows Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without AD, and the client's financials and MRP software utilized SQL Server, which requires Active Directory for access to the databases.

Within two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then completed rebuilding and storage recovery of needed systems. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Data Files) on user desktop computers in order to recover mail messages. A not too old off-line backup of the customer's accounting software made it possible to recover these required services back servicing users. Although major work needed to be completed to recover completely from the Ryuk damage, the most important services were recovered rapidly:


"For the most part, the production operation was never shut down and we made all customer orders."

Throughout the following couple of weeks critical milestones in the recovery process were made in close cooperation between Progent team members and the customer:

  • Internal web sites were restored with no loss of information.
  • The MailStore Server exceeding 4 million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were fully functional.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Most of the desktops and laptops were operational.

"So much of what went on in the initial days is nearly entirely a haze for me, but we will not soon forget the commitment all of you accomplished to give us our business back. I've been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a life saver."

Conclusion
A possible business-ending catastrophe was evaded with results-oriented professionals, a wide range of technical expertise, and tight teamwork. Although in post mortem the ransomware virus incident detailed here could have been prevented with up-to-date cyber security technology and ISO/IEC 27001 best practices, user training, and well designed incident response procedures for information protection and proper patching controls, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for allowing me to get some sleep after we made it over the initial push. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Alexandria a range of remote monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services include modern machine learning capability to detect zero-day strains of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating efficiently by tracking the health of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so all looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, optimize and troubleshoot their networking appliances such as switches, firewalls, and access points as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are kept updated, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating tedious management activities, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating devices that need important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of in-depth reporting plug-ins created to work with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup software companies to create ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and allow non-disruptive backup and fast recovery of critical files, applications, images, plus VMs. ProSight DPS lets your business recover from data loss resulting from equipment failures, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned employees, or software glitches. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security companies to deliver centralized management and world-class protection for your inbound and outbound email. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured online account and enter your password you are requested to verify who you are via a device that only you possess and that uses a different ("out-of-band") network channel. A broad range of devices can be used as this added means of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register several validation devices. For details about Duo identity validation services, visit Duo MFA two-factor authentication services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Help Desk services enable your IT group to outsource Support Desk services to Progent or divide activity for support services transparently between your in-house network support staff and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your in-house network support organization. User access to the Help Desk, provision of support, problem escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the service database are consistent whether issues are resolved by your core support organization, by Progent, or both. Find out more about Progent's outsourced/co-managed Service Center services.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis tools to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to automate the entire threat lifecycle including protection, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can save as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving information system. Besides optimizing the protection and functionality of your computer environment, Progent's patch management services allow your in-house IT team to concentrate on line-of-business projects and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP environment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
For 24/7 Alexandria Ransomware Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.