Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional unnamed malware, not only encrypt on-line critical data but also infect any configured system restores and backups. Information synched to the cloud can also be ransomed. In a vulnerable data protection solution, it can render automatic restoration hopeless and effectively knocks the entire system back to square one.

Getting back online services and data after a ransomware outage becomes a race against time as the targeted business tries its best to contain the damage and cleanup the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware takes time to spread, penetrations are usually launched on weekends, when successful attacks in many cases take more time to notice. This multiplies the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent makes available a range of help services for securing organizations from ransomware events. Among these are staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with machine learning technology from SentinelOne to detect and suppress zero-day threats intelligently. Progent also provides the assistance of veteran ransomware recovery professionals with the track record and commitment to rebuild a breached system as quickly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decipher any of your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be around $13,000. The alternative is to re-install the essential components of your IT environment. Without the availability of essential system backups, this requires a wide range of skills, professional team management, and the capability to work non-stop until the task is over.

For two decades, Progent has made available certified expert Information Technology services for companies in Mission Viejo and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably understand necessary systems and integrate the remaining components of your Information Technology environment following a ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts has state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent understands the importance of acting rapidly and together with a client's management and IT resources to prioritize tasks and to put the most important systems back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Intrusion Restoration
A business engaged Progent after their company was taken over by Ryuk ransomware. Ryuk is thought to have been developed by North Korean state criminal gangs, possibly using techniques leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for disruption and is among the most profitable examples of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's data backups had been on-line at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately called Progent.


"I can't thank you enough about the expertise Progent provided us throughout the most critical time of (our) businesses survival. We would have paid the hackers behind this attack except for the confidence the Progent team provided us. That you were able to get our e-mail system and key applications back into operation quicker than seven days was something I thought impossible. Each expert I worked with or texted at Progent was amazingly focused on getting us working again and was working 24 by 7 to bail us out."

Progent worked together with the customer to rapidly get our arms around and assign priority to the most important systems that needed to be restored to make it possible to resume company operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the steps of rebuilding Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the client's MRP applications utilized Microsoft SQL Server, which requires Active Directory for authentication to the database.

In less than two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then performed setup and storage recovery on mission critical servers. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect intact OST data files (Outlook Off-Line Data Files) on team PCs and laptops in order to recover email messages. A recent off-line backup of the customer's financials/ERP systems made them able to restore these required services back on-line. Although significant work was left to recover totally from the Ryuk event, essential systems were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer orders."

Over the next month important milestones in the restoration process were achieved through close collaboration between Progent consultants and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Server exceeding 4 million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100% restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the desktop computers were back into operation.

"A lot of what occurred those first few days is mostly a haze for me, but I will not soon forget the dedication all of your team accomplished to give us our business back. I've trusted Progent for the past ten years, maybe more, and each time Progent has shined and delivered. This time was a stunning achievement."

Conclusion
A possible company-ending disaster was dodged through the efforts of results-oriented professionals, a broad spectrum of technical expertise, and tight teamwork. Although in post mortem the ransomware penetration detailed here should have been identified and disabled with advanced cyber security solutions and ISO/IEC 27001 best practices, team training, and properly executed security procedures for information protection and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for allowing me to get rested after we got through the first week. All of you did an fabulous job, and if any of your team is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Mission Viejo a portfolio of remote monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services include modern machine learning capability to uncover new strains of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your company's unique requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and track your data backup processes and allow transparent backup and rapid recovery of vital files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to deliver centralized management and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, track, enhance and debug their connectivity appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are discovered. By automating complex network management processes, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so any looming issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can save up to half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. Progent ASM services protect local and cloud resources and provides a single platform to manage the complete malware attack progression including protection, identification, containment, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Support Center services allow your information technology team to outsource Help Desk services to Progent or divide activity for Service Desk support transparently between your in-house support staff and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent extension of your internal IT support staff. End user access to the Service Desk, delivery of support services, escalation, ticket creation and tracking, efficiency metrics, and maintenance of the service database are cohesive regardless of whether incidents are taken care of by your corporate network support group, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a versatile and affordable alternative for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving IT system. In addition to optimizing the protection and reliability of your IT environment, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business projects and activities that derive the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a secured online account and enter your password you are requested to verify who you are on a unit that only you possess and that uses a separate network channel. A wide selection of devices can be used as this added form of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may register several verification devices. To learn more about Duo identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time and in-depth management reporting utilities created to integrate with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Mission Viejo 24-Hour Crypto Recovery Support Services, contact Progent at 800-462-8800 or go to Contact Progent.