Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that presents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with daily as yet unnamed malware, not only encrypt online data files but also infiltrate many accessible system backups. Information synched to cloud environments can also be corrupted. In a vulnerable data protection solution, it can make automatic restoration hopeless and basically sets the entire system back to zero.

Getting back on-line programs and information following a ransomware outage becomes a sprint against time as the victim struggles to stop lateral movement and clear the virus and to resume enterprise-critical operations. Since ransomware requires time to spread, penetrations are frequently sprung during nights and weekends, when successful attacks may take longer to recognize. This compounds the difficulty of promptly assembling and coordinating a capable response team.

Progent makes available an assortment of support services for protecting organizations from ransomware events. Among these are team education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with artificial intelligence technology from SentinelOne to identify and extinguish zero-day threats rapidly. Progent in addition can provide the services of seasoned ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the keys to decipher all your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the mission-critical parts of your Information Technology environment. Without the availability of essential data backups, this calls for a broad complement of skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is finished.

For decades, Progent has offered professional Information Technology services for companies in Irvine and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to quickly determine important systems and integrate the surviving parts of your computer network environment after a ransomware penetration and assemble them into an operational network.

Progent's recovery team of experts utilizes state-of-the-art project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and together with a client's management and IT staff to prioritize tasks and to put critical applications back online as soon as possible.

Customer Story: A Successful Ransomware Virus Response
A customer contacted Progent after their company was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, possibly using algorithms leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with little or no tolerance for operational disruption and is one of the most profitable instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area with around 500 workers. The Ryuk attack had brought down all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but ultimately reached out to Progent.


"I can't speak enough about the expertise Progent provided us during the most fearful time of (our) company's survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent group provided us. That you could get our e-mail and essential servers back in less than five days was something I thought impossible. Each expert I got help from or communicated with at Progent was hell bent on getting us back on-line and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the key services that had to be addressed in order to resume company operations:

  • Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus penetration response industry best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the steps of recovering Active Directory, the heart of enterprise environments built on Microsoft technology. Exchange email will not work without Active Directory, and the businesses' financials and MRP software used SQL Server, which depends on Windows AD for access to the information.

In less than two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then accomplished rebuilding and hard drive recovery of key servers. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect local OST files (Outlook Offline Folder Files) on team workstations and laptops to recover mail messages. A not too old offline backup of the customer's accounting/ERP systems made them able to restore these required services back on-line. Although major work was left to recover fully from the Ryuk event, essential services were recovered quickly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer orders."

Throughout the following few weeks key milestones in the restoration process were made in tight collaboration between Progent team members and the customer:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the desktops and laptops were functioning as before the incident.

"A lot of what happened in the initial days is nearly entirely a blur for me, but my management will not forget the dedication all of you put in to give us our business back. I've trusted Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was a Herculean accomplishment."

Conclusion
A likely business catastrophe was evaded by hard-working experts, a wide range of knowledge, and close collaboration. Although upon completion of forensics the ransomware attack detailed here should have been prevented with current cyber security systems and recognized best practices, user training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), I'm grateful for making it so I could get rested after we made it through the initial fire. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Irvine a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover new strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. ProSight ASM protects local and cloud resources and provides a unified platform to automate the entire threat progression including filtering, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with government and industry information security regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also help you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service. ProSight DPS products automate and track your backup operations and allow non-disruptive backup and fast recovery of vital files/folders, apps, system images, and virtual machines. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security vendors to deliver centralized control and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further layer of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their networking hardware such as switches, firewalls, and access points plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when problems are detected. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network operating at peak levels by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management personnel and your Progent engineering consultant so that any looming issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based analysis tools to defend endpoints and servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. Progent ASM services safeguard local and cloud resources and offers a single platform to automate the entire threat progression including protection, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Support Desk services allow your IT staff to offload Support Desk services to Progent or divide activity for Help Desk services seamlessly between your in-house support staff and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth extension of your core support team. User access to the Service Desk, provision of technical assistance, escalation, ticket generation and updates, efficiency metrics, and management of the support database are consistent regardless of whether issues are resolved by your internal network support staff, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of any size a versatile and affordable solution for assessing, testing, scheduling, applying, and tracking updates to your dynamic IT system. Besides maximizing the security and reliability of your IT environment, Progent's software/firmware update management services allow your in-house IT team to focus on more strategic projects and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured application and enter your password you are asked to confirm who you are via a unit that only you possess and that uses a separate network channel. A broad selection of devices can be utilized as this second form of ID validation including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may designate several validation devices. For more information about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time and in-depth management reporting utilities created to work with the industry's top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Irvine 24x7x365 Crypto-Ransomware Cleanup Help, reach out to Progent at 800-462-8800 or go to Contact Progent.