Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyberplague that poses an existential threat for organizations vulnerable to an attack. Multiple generations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict damage. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as additional as yet unnamed newcomers, not only do encryption of on-line files but also infiltrate most accessible system backups. Files synchronized to cloud environments can also be corrupted. In a poorly designed system, this can render any restore operations useless and basically sets the network back to zero.

Getting back online applications and information following a ransomware outage becomes a race against time as the targeted organization tries its best to stop lateral movement and remove the ransomware and to restore business-critical activity. Because ransomware takes time to move laterally, assaults are frequently sprung on weekends and holidays, when penetrations in many cases take more time to discover. This multiplies the difficulty of promptly assembling and organizing an experienced response team.

Progent makes available an assortment of support services for securing enterprises from crypto-ransomware attacks. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with machine learning technology from SentinelOne to detect and extinguish new cyber attacks intelligently. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the skills and perseverance to restore a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
Soon after a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to unencrypt any of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Absent the availability of complete data backups, this requires a broad complement of skills, well-coordinated project management, and the willingness to work 24x7 until the task is finished.

For decades, Progent has made available professional Information Technology services for companies in Long Beach and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise provides Progent the skills to rapidly determine necessary systems and organize the remaining parts of your network environment following a crypto-ransomware event and assemble them into an operational system.

Progent's ransomware team has best of breed project management systems to coordinate the complex recovery process. Progent appreciates the urgency of acting rapidly and in unison with a customer's management and Information Technology resources to prioritize tasks and to get key applications back online as fast as possible.

Customer Case Study: A Successful Ransomware Virus Response
A customer hired Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored cybercriminals, suspected of adopting techniques leaked from the U.S. NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is among the most profitable iterations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had disabled all essential operations and manufacturing processes. Most of the client's data protection had been directly accessible at the start of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end brought in Progent.


"I can't thank you enough in regards to the care Progent provided us during the most fearful time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. That you could get our e-mail system and essential servers back quicker than a week was something I thought impossible. Every single expert I worked with or texted at Progent was amazingly focused on getting our system up and was working day and night on our behalf."

Progent worked together with the customer to rapidly understand and assign priority to the mission critical systems that needed to be recovered to make it possible to resume departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • MRP System
To start, Progent adhered to ransomware penetration response industry best practices by halting the spread and cleaning up infected systems. Progent then started the work of recovering Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the customer's financials and MRP software used Microsoft SQL Server, which requires Active Directory services for authentication to the database.

Within two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then helped perform setup and storage recovery on needed applications. All Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to find intact OST files (Outlook Email Offline Folder Files) on team PCs and laptops to recover email messages. A recent off-line backup of the customer's accounting systems made it possible to return these vital applications back online for users. Although a large amount of work was left to recover fully from the Ryuk event, the most important systems were restored rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer shipments."

Over the next month critical milestones in the restoration project were achieved through close cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was spun up and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the user PCs were being used by staff.

"So much of what occurred that first week is mostly a haze for me, but my team will not soon forget the commitment each of you accomplished to give us our business back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was no exception but maybe more Herculean."

Conclusion
A possible business-ending catastrophe was avoided with dedicated experts, a broad spectrum of IT skills, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware incident described here would have been prevented with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out security procedures for data backup and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has a proven track record in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for letting me get rested after we got through the initial push. All of you did an fabulous job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Long Beach a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include next-generation AI technology to uncover zero-day variants of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with advanced backup software companies to produce ProSight Data Protection Services (DPS), a family of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow non-disruptive backup and rapid restoration of critical files, apps, system images, and VMs. ProSight DPS helps you recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, malicious insiders, or software bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to deliver web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of analysis for inbound email. For outbound email, the local gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, reconfigure and debug their networking hardware such as routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always updated, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating appliances that need critical updates, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to help keep your network running efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your Progent consultant so that all looming issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior analysis technology to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a unified platform to automate the entire threat progression including blocking, identification, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Call Center managed services enable your information technology team to outsource Help Desk services to Progent or split activity for Help Desk services transparently between your in-house support resources and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent supplement to your core support staff. Client interaction with the Help Desk, delivery of support services, escalation, ticket creation and updates, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are taken care of by your corporate network support group, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT network. Besides maximizing the security and functionality of your computer environment, Progent's software/firmware update management services allow your in-house IT team to concentrate on more strategic initiatives and activities that derive maximum business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Android, and other personal devices. With 2FA, whenever you log into a secured application and give your password you are requested to verify who you are via a unit that only you possess and that uses a different network channel. A broad range of out-of-band devices can be used as this added form of ID validation including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may designate several validation devices. For details about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time and in-depth management reporting plug-ins created to integrate with the industry's leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues like inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Long Beach 24/7 Crypto Repair Consulting, contact Progent at 800-462-8800 or go to Contact Progent.