Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for organizations vulnerable to an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict damage. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with additional unnamed newcomers, not only encrypt on-line information but also infiltrate all configured system protection. Data synchronized to the cloud can also be ransomed. In a poorly architected environment, it can render automatic restoration useless and basically knocks the entire system back to zero.

Getting back online programs and information following a ransomware event becomes a sprint against the clock as the victim struggles to contain and clear the crypto-ransomware and to resume business-critical operations. Due to the fact that ransomware needs time to spread, penetrations are usually launched at night, when attacks may take more time to identify. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified response team.

Progent makes available a range of help services for securing organizations from ransomware attacks. Among these are team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with machine learning capabilities from SentinelOne to discover and suppress zero-day cyber attacks intelligently. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the track record and commitment to rebuild a compromised environment as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decrypt any of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to setup from scratch the critical elements of your IT environment. Absent access to full system backups, this calls for a broad range of skill sets, well-coordinated team management, and the willingness to work non-stop until the job is complete.

For twenty years, Progent has offered certified expert IT services for companies in Alexandria and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience provides Progent the skills to knowledgably ascertain important systems and re-organize the surviving parts of your network environment after a ransomware event and rebuild them into an operational network.

Progent's security team deploys best of breed project management applications to coordinate the complex recovery process. Progent appreciates the urgency of acting quickly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to get essential services back on-line as soon as possible.

Customer Case Study: A Successful Ransomware Penetration Response
A small business escalated to Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state hackers, possibly adopting strategies exposed from America's National Security Agency. Ryuk targets specific organizations with little or no room for disruption and is among the most profitable versions of crypto-ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago and has about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and praying for good luck, but in the end engaged Progent.


"I cannot say enough about the expertise Progent gave us during the most fearful period of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent team afforded us. The fact that you could get our messaging and critical servers back faster than 1 week was beyond my wildest dreams. Every single expert I worked with or communicated with at Progent was totally committed on getting my company operational and was working all day and night on our behalf."

Progent worked with the client to quickly understand and assign priority to the key applications that had to be restored in order to continue business functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent followed ransomware penetration response best practices by halting lateral movement and clearing up compromised systems. Progent then began the task of restoring Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businesses' MRP system utilized Microsoft SQL, which requires Windows AD for authentication to the information.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery of the most important applications. All Microsoft Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on user workstations in order to recover mail information. A recent off-line backup of the client's accounting software made it possible to restore these essential applications back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core systems were recovered quickly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer deliverables."

Throughout the following few weeks important milestones in the recovery process were made through tight cooperation between Progent consultants and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Server with over 4 million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control functions were fully recovered.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the desktop computers were fully operational.

"So much of what transpired during the initial response is mostly a blur for me, but my management will not forget the countless hours all of you put in to give us our business back. I have trusted Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This event was a Herculean accomplishment."

Conclusion
A possible company-ending catastrophe was evaded through the efforts of top-tier experts, a broad range of IT skills, and close collaboration. Although in post mortem the crypto-ransomware virus penetration described here would have been disabled with up-to-date security systems and recognized best practices, user education, and well designed security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for making it so I could get some sleep after we got through the initial push. All of you did an incredible job, and if anyone is in the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Alexandria a range of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services include next-generation machine learning capability to detect new variants of crypto-ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable transparent backup and rapid recovery of vital files/folders, applications, images, plus virtual machines. ProSight DPS lets your business avoid data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or software bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver web-based management and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of analysis for inbound email. For outbound email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, track, optimize and debug their networking hardware like routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating appliances that need important updates, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management techniques to keep your network running at peak levels by checking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management staff and your Progent engineering consultant so all looming issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can eliminate up to half of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based machine learning technology to defend endpoints as well as servers and VMs against new malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. Progent ASM services protect local and cloud resources and provides a single platform to automate the entire threat lifecycle including blocking, detection, mitigation, remediation, and forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Call Desk managed services permit your information technology team to offload Support Desk services to Progent or split responsibilities for Service Desk support transparently between your internal network support group and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your internal IT support organization. Client interaction with the Service Desk, delivery of support, issue escalation, ticket generation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether issues are taken care of by your in-house network support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of all sizes a flexible and affordable alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT system. Besides optimizing the protection and functionality of your IT environment, Progent's patch management services free up time for your in-house IT team to focus on line-of-business initiatives and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With 2FA, whenever you sign into a secured application and enter your password you are asked to verify who you are via a unit that only you have and that is accessed using a different network channel. A broad selection of devices can be utilized as this added form of ID validation including a smartphone or wearable, a hardware token, a landline phone, etc. You may designate several verification devices. To learn more about ProSight Duo identity validation services, go to Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time management reporting tools designed to integrate with the industry's leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Alexandria Ransomware Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.