Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an existential danger for organizations poorly prepared for an attack. Versions of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict harm. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent as yet unnamed malware, not only encrypt on-line data but also infiltrate any available system restores and backups. Data synchronized to the cloud can also be corrupted. In a poorly architected system, it can make any restoration hopeless and basically knocks the entire system back to square one.

Getting back on-line applications and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop lateral movement and remove the ransomware and to restore business-critical activity. Because crypto-ransomware requires time to move laterally, penetrations are often sprung on weekends and holidays, when attacks in many cases take longer to identify. This multiplies the difficulty of rapidly assembling and coordinating an experienced mitigation team.

Progent has a range of solutions for securing enterprises from ransomware events. These include team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with AI capabilities from SentinelOne to detect and extinguish new threats intelligently. Progent in addition can provide the services of experienced ransomware recovery professionals with the track record and commitment to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the codes to decipher all your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the critical parts of your Information Technology environment. Absent access to full system backups, this calls for a broad complement of IT skills, top notch project management, and the willingness to work continuously until the task is done.

For decades, Progent has made available professional Information Technology services for businesses in Alpharetta and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of expertise affords Progent the capability to knowledgably identify important systems and organize the surviving pieces of your IT system after a ransomware attack and rebuild them into an operational system.

Progent's security group has top notch project management tools to orchestrate the complicated restoration process. Progent understands the urgency of acting rapidly and together with a customer's management and IT staff to assign priority to tasks and to put key systems back on line as soon as possible.

Client Story: A Successful Ransomware Intrusion Response
A customer hired Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, suspected of using technology leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited room for operational disruption and is among the most profitable instances of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the attack and were eventually encrypted. The client considered paying the ransom demand (more than $200,000) and praying for the best, but in the end engaged Progent.


"I cannot speak enough about the support Progent provided us throughout the most critical period of (our) businesses existence. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent team provided us. The fact that you could get our e-mail and essential servers back into operation quicker than one week was something I thought impossible. Every single expert I talked with or texted at Progent was laser focused on getting our system up and was working 24 by 7 on our behalf."

Progent worked with the client to rapidly identify and prioritize the key elements that had to be recovered to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • MRP System
To begin, Progent adhered to Anti-virus penetration mitigation best practices by halting lateral movement and clearing infected systems. Progent then started the task of recovering Microsoft AD, the core of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without Windows AD, and the customer's MRP system used Microsoft SQL Server, which needs Active Directory services for access to the information.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery of key applications. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Email Offline Folder Files) on various desktop computers to recover email data. A not too old off-line backup of the businesses accounting/MRP software made it possible to restore these essential services back available to users. Although major work was left to recover fully from the Ryuk damage, core systems were recovered quickly:


"For the most part, the production operation did not miss a beat and we produced all customer deliverables."

During the following month critical milestones in the recovery project were achieved in tight cooperation between Progent consultants and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Server exceeding 4 million historical messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully operational.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user PCs were functioning as before the incident.

"So much of what occurred that first week is nearly entirely a blur for me, but my team will not soon forget the commitment all of you put in to give us our company back. I've trusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A potential business disaster was averted by results-oriented professionals, a wide range of IT skills, and close teamwork. Although in post mortem the ransomware attack detailed here should have been shut down with up-to-date cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thank you for letting me get some sleep after we made it through the initial push. All of you did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Alpharetta a portfolio of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to uncover zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the complete threat progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering through cutting-edge tools incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with legal and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services, a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and monitor your data backup operations and enable transparent backup and fast recovery of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to provide centralized management and comprehensive security for your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, monitor, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding appliances that require critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management staff and your Progent consultant so that all looming issues can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can save up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to defend endpoint devices as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-based AV products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Help Center services enable your information technology team to outsource Call Center services to Progent or divide responsibilities for Help Desk services transparently between your internal support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless extension of your internal IT support resources. Client access to the Service Desk, provision of support, escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive whether incidents are taken care of by your in-house network support staff, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and tracking updates to your dynamic IT system. Besides maximizing the security and reliability of your computer network, Progent's patch management services allow your in-house IT team to focus on line-of-business projects and tasks that derive the highest business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo enables one-tap identity verification on iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a protected online account and give your password you are asked to verify your identity on a device that only you have and that uses a different network channel. A wide selection of out-of-band devices can be utilized for this second form of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You may register several validation devices. For more information about Duo identity validation services, see Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting utilities created to work with the top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Alpharetta Crypto-Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.