Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes poorly prepared for an assault. Versions of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict destruction. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more as yet unnamed newcomers, not only encrypt on-line information but also infect most accessible system backups. Information replicated to cloud environments can also be held hostage. In a poorly designed system, it can render any restoration impossible and basically sets the network back to zero.

Getting back online applications and data following a ransomware event becomes a sprint against the clock as the victim tries its best to contain the damage, cleanup the ransomware, and restore business-critical activity. Because ransomware takes time to replicate, penetrations are usually launched at night, when attacks in many cases take longer to detect. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.

Progent makes available a range of services for protecting organizations from ransomware attacks. These include user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with machine learning technology from SentinelOne to detect and extinguish zero-day cyber threats quickly. Progent in addition can provide the services of seasoned ransomware recovery consultants with the track record and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the codes to decipher all your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The fallback is to re-install the critical parts of your IT environment. Without the availability of essential information backups, this calls for a broad complement of skill sets, professional team management, and the ability to work non-stop until the job is over.

For two decades, Progent has provided certified expert IT services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience gives Progent the skills to quickly determine critical systems and re-organize the remaining parts of your Information Technology system following a crypto-ransomware attack and configure them into an operational system.

Progent's recovery group deploys powerful project management systems to coordinate the complicated restoration process. Progent understands the importance of acting swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get the most important systems back on line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Intrusion Response
A small business hired Progent after their company was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state hackers, possibly adopting technology leaked from America's National Security Agency. Ryuk targets specific businesses with limited tolerance for operational disruption and is one of the most lucrative versions of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately brought in Progent.


"I cannot tell you enough in regards to the care Progent gave us during the most critical time of (our) businesses existence. We may have had to pay the Hackers except for the confidence the Progent team afforded us. That you could get our messaging and key servers back on-line sooner than 1 week was earth shattering. Every single expert I interacted with or e-mailed at Progent was totally committed on getting us back online and was working day and night on our behalf."

Progent worked hand in hand the client to quickly assess and prioritize the key applications that needed to be recovered in order to restart departmental functions:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes event response industry best practices by stopping the spread and disinfecting systems. Progent then began the steps of restoring Windows Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Exchange email will not function without Windows AD, and the businesses' MRP system leveraged Microsoft SQL Server, which needs Active Directory for security authorization to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery on essential servers. All Exchange schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Folder Files) on staff desktop computers to recover email messages. A not too old offline backup of the businesses accounting/ERP software made it possible to restore these required programs back servicing users. Although major work remained to recover completely from the Ryuk damage, the most important systems were returned to operations quickly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer deliverables."

During the next couple of weeks key milestones in the restoration project were made through close cooperation between Progent team members and the client:

  • Internal web applications were restored without losing any data.
  • The MailStore Server containing more than four million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the desktop computers were functioning as before the incident.

"A lot of what went on in the early hours is nearly entirely a blur for me, but our team will not soon forget the urgency each of the team put in to give us our business back. I've been working together with Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This situation was a stunning achievement."

Conclusion
A potential business-ending disaster was averted due to top-tier professionals, a wide array of IT skills, and close teamwork. Although upon completion of forensics the ransomware attack described here could have been prevented with up-to-date security systems and recognized best practices, user and IT administrator training, and well designed security procedures for data protection and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for making it so I could get rested after we got past the most critical parts. All of you did an impressive effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Charlotte a range of remote monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services include modern AI capability to uncover zero-day strains of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your Progent engineering consultant so any potential problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software delivers a unified, cloud-driven platform for managing your network, server, and desktop devices by providing an environment for performing common time-consuming jobs. These can include health checking, update management, automated remediation, endpoint setup, backup and recovery, A/V defense, secure remote access, built-in and custom scripts, asset inventory, endpoint profile reporting, and debugging assistance. When ProSight LAN Watch with NinjaOne RMM spots a serious problem, it transmits an alarm to your designated IT staff and your Progent consultant so potential problems can be taken care of before they interfere with productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and debug their networking hardware like switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding appliances that need important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting plug-ins designed to integrate with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-up or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup software providers to produce ProSight Data Protection Services, a portfolio of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your backup processes and allow non-disruptive backup and rapid restoration of important files, applications, system images, plus virtual machines. ProSight DPS helps you recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to provide centralized control and world-class security for your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a further layer of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo supports single-tap identity verification on iOS, Android, and other personal devices. Using Duo 2FA, when you log into a secured application and enter your password you are asked to verify who you are on a device that only you possess and that uses a different network channel. A wide range of devices can be used for this added means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several verification devices. To learn more about ProSight Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services for access security.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Support Desk managed services enable your IT group to outsource Support Desk services to Progent or divide activity for Service Desk support transparently between your in-house network support resources and Progent's nationwide pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a transparent extension of your internal IT support group. User access to the Help Desk, delivery of support, escalation, trouble ticket creation and updates, efficiency measurement, and maintenance of the service database are consistent whether issues are resolved by your in-house network support staff, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Help Center services.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior analysis tools to defend endpoint devices as well as servers and VMs against new malware attacks like ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to automate the complete malware attack progression including protection, identification, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate up to half of time spent trying to find vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Read more about ProSight IT Asset Management service.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of any size a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT system. Besides optimizing the protection and functionality of your IT network, Progent's patch management services permit your IT staff to focus on line-of-business initiatives and activities that derive the highest business value from your network. Find out more about Progent's patch management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
For Charlotte 24/7 Crypto-Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.