Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses unprepared for an assault. Different versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause havoc. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as additional unnamed newcomers, not only do encryption of on-line data but also infect all available system restores and backups. Information synchronized to the cloud can also be encrypted. In a vulnerable system, this can make any recovery hopeless and basically sets the datacenter back to zero.

Getting back on-line services and information following a ransomware event becomes a race against the clock as the targeted organization fights to stop the spread, clear the virus, and resume mission-critical operations. Since ransomware needs time to replicate, penetrations are often sprung on weekends, when penetrations typically take longer to identify. This compounds the difficulty of quickly marshalling and coordinating an experienced response team.

Progent provides a variety of help services for securing organizations from ransomware events. Among these are team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and suppress day-zero cyber threats automatically. Progent in addition provides the services of seasoned crypto-ransomware recovery professionals with the skills and perseverance to restore a breached environment as soon as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware event, paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will return the needed keys to decipher any of your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to setup from scratch the key components of your IT environment. Without the availability of complete system backups, this calls for a broad range of IT skills, well-coordinated team management, and the ability to work continuously until the recovery project is finished.

For twenty years, Progent has made available professional IT services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise gives Progent the capability to knowledgably understand critical systems and consolidate the surviving pieces of your Information Technology system after a crypto-ransomware penetration and rebuild them into an operational system.

Progent's security team of experts uses best of breed project management tools to orchestrate the complicated restoration process. Progent understands the importance of acting rapidly and together with a customer's management and IT team members to assign priority to tasks and to put essential systems back on-line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A small business escalated to Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored cybercriminals, suspected of adopting strategies exposed from the United States NSA organization. Ryuk targets specific businesses with little ability to sustain disruption and is among the most lucrative instances of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.


"I can't speak enough in regards to the help Progent provided us during the most fearful time of (our) company's existence. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group afforded us. That you could get our e-mail system and production servers back sooner than 1 week was amazing. Every single expert I spoke to or communicated with at Progent was hell bent on getting us working again and was working all day and night to bail us out."

Progent worked together with the customer to quickly understand and prioritize the key elements that needed to be recovered to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To get going, Progent adhered to ransomware incident mitigation industry best practices by isolating and removing active viruses. Progent then started the work of rebuilding Windows Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the client's MRP system utilized Microsoft SQL Server, which depends on Active Directory for authentication to the databases.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then helped perform setup and storage recovery of the most important servers. All Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Data Files) on staff PCs and laptops in order to recover mail messages. A not too old off-line backup of the customer's accounting/ERP systems made them able to restore these essential programs back online. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, critical services were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer shipments."

Throughout the next couple of weeks important milestones in the recovery process were achieved in tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control functions were fully restored.
  • A new Palo Alto 850 firewall was installed.
  • Most of the desktops and laptops were fully operational.

"A lot of what happened in the initial days is nearly entirely a blur for me, but my team will not forget the care each of you put in to help get our business back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was a stunning achievement."

Conclusion
A potential business-killing catastrophe was dodged by top-tier experts, a broad array of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware virus penetration detailed here should have been identified and disabled with modern security systems and NIST Cybersecurity Framework best practices, staff education, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get rested after we got over the most critical parts. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Charleston a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT staff and your assigned Progent consultant so any looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-based solution for managing your network, server, and desktop devices by providing tools for performing common time-consuming tasks. These can include health checking, update management, automated remediation, endpoint configuration, backup and recovery, A/V defense, remote access, built-in and custom scripts, resource inventory, endpoint profile reporting, and troubleshooting assistance. If ProSight LAN Watch with NinjaOne RMM spots a serious issue, it sends an alarm to your specified IT management personnel and your assigned Progent consultant so potential issues can be fixed before they interfere with your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map out, track, optimize and debug their networking hardware like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating devices that need critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time and in-depth management reporting tools created to work with the top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-through or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup technology providers to create ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your data backup processes and allow non-disruptive backup and rapid recovery of vital files, applications, system images, plus virtual machines. ProSight DPS lets you recover from data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks like ransomware, user error, ill-intentioned insiders, or application glitches. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to provide centralized control and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of inspection for incoming email. For outgoing email, the local gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a protected online account and enter your password you are asked to verify who you are via a unit that only you possess and that is accessed using a different network channel. A wide range of devices can be used as this second means of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You can register multiple validation devices. To find out more about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services.

  • Progent's Outsourced/Shared Help Center: Call Center Managed Services
    Progent's Call Center managed services permit your information technology team to offload Help Desk services to Progent or divide activity for support services seamlessly between your internal network support staff and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a seamless extension of your internal support organization. End user interaction with the Help Desk, delivery of technical assistance, issue escalation, trouble ticket generation and tracking, performance measurement, and management of the service database are cohesive regardless of whether incidents are resolved by your core IT support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Center services.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning tools to guard endpoints and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Find out more about ProSight IT Asset Management service.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of any size a flexible and cost-effective alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and reliability of your computer network, Progent's software/firmware update management services allow your in-house IT staff to focus on line-of-business projects and tasks that deliver maximum business value from your information network. Learn more about Progent's patch management services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to address the entire threat progression including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools packaged within a single agent accessible from a single control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also assist your company to install and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
For Charleston 24x7x365 Ransomware Removal Consultants, call Progent at 800-462-8800 or go to Contact Progent.