Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that represents an enterprise-level threat for organizations poorly prepared for an attack. Versions of crypto-ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict havoc. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with additional as yet unnamed newcomers, not only encrypt on-line data files but also infiltrate most accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, it can make automated recovery impossible and basically sets the datacenter back to zero.

Restoring applications and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to contain and cleanup the ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to replicate, penetrations are usually launched during weekends and nights, when attacks are likely to take more time to detect. This compounds the difficulty of promptly assembling and orchestrating an experienced mitigation team.

Progent offers a range of solutions for securing businesses from ransomware penetrations. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security appliances with AI capabilities from SentinelOne to detect and quarantine day-zero threats quickly. Progent also can provide the services of experienced crypto-ransomware recovery engineers with the talent and commitment to re-deploy a compromised system as quickly as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, sending the ransom in cryptocurrency does not ensure that distant criminals will provide the codes to unencrypt any of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the vital elements of your IT environment. Absent the availability of full data backups, this requires a broad complement of IT skills, well-coordinated project management, and the ability to work non-stop until the recovery project is completed.

For two decades, Progent has made available expert IT services for companies in Philadelphia and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise provides Progent the skills to rapidly understand critical systems and integrate the remaining pieces of your network environment after a ransomware attack and assemble them into a functioning system.

Progent's security team of experts utilizes powerful project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of acting rapidly and together with a customer's management and IT resources to prioritize tasks and to get key services back online as soon as humanly possible.

Customer Case Study: A Successful Ransomware Attack Restoration
A small business hired Progent after their network was crashed by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state hackers, possibly using strategies leaked from America's National Security Agency. Ryuk seeks specific companies with little tolerance for operational disruption and is among the most profitable incarnations of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with about 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's system backups had been online at the start of the intrusion and were destroyed. The client was evaluating paying the ransom (more than $200,000) and praying for the best, but in the end reached out to Progent.


"I can't tell you enough about the care Progent provided us throughout the most fearful period of (our) company's existence. We may have had to pay the cybercriminals except for the confidence the Progent group afforded us. The fact that you were able to get our messaging and important applications back into operation sooner than seven days was incredible. Every single person I worked with or e-mailed at Progent was hell bent on getting us back on-line and was working non-stop to bail us out."

Progent worked together with the client to quickly get our arms around and prioritize the mission critical areas that had to be restored to make it possible to continue business functions:

  • Active Directory (AD)
  • Exchange Server
  • Accounting/MRP
To begin, Progent adhered to ransomware event mitigation industry best practices by isolating and cleaning up infected systems. Progent then initiated the task of restoring Microsoft AD, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the customer's financials and MRP software leveraged Microsoft SQL, which requires Active Directory for authentication to the information.

In less than 48 hours, Progent was able to recover Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery of key servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Offline Data Files) on staff desktop computers to recover email messages. A not too old offline backup of the customer's accounting systems made it possible to recover these required services back online. Although a lot of work remained to recover fully from the Ryuk damage, the most important services were restored rapidly:


"For the most part, the manufacturing operation was never shut down and we made all customer sales."

Throughout the next few weeks key milestones in the recovery process were made through tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were fully functional.
  • A new Palo Alto Networks 850 firewall was set up.
  • Nearly all of the user desktops were functioning as before the incident.

"So much of what occurred those first few days is mostly a fog for me, but my team will not soon forget the countless hours each of you accomplished to help get our company back. I have been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable company-ending catastrophe was averted by dedicated professionals, a wide spectrum of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware incident detailed here should have been disabled with current cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed security procedures for data backup and proper patching controls, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of professionals has a proven track record in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), I'm grateful for allowing me to get some sleep after we got through the initial push. Everyone did an incredible job, and if any of your team is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Philadelphia a range of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence capability to uncover new strains of ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the entire threat progression including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your organization's unique requirements and that allows you prove compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also assist you to install and test a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup software providers to create ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup operations and enable non-disruptive backup and rapid recovery of important files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, user mistakes, malicious employees, or software bugs. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide centralized management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the local gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and debug their connectivity hardware like switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when issues are discovered. By automating complex management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, finding appliances that need important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by checking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management staff and your assigned Progent engineering consultant so any looming issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can save as much as half of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior machine learning tools to guard endpoints and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based anti-virus products. Progent ASM services protect local and cloud-based resources and provides a single platform to manage the entire threat progression including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Support Desk managed services allow your information technology group to outsource Help Desk services to Progent or split activity for support services transparently between your in-house network support group and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your internal network support group. End user interaction with the Service Desk, provision of support, problem escalation, trouble ticket creation and tracking, efficiency metrics, and management of the service database are consistent regardless of whether incidents are taken care of by your corporate support staff, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of any size a flexible and affordable solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the security and reliability of your computer environment, Progent's software/firmware update management services permit your in-house IT staff to focus on line-of-business projects and activities that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you log into a secured online account and give your password you are requested to verify your identity via a device that only you possess and that uses a separate network channel. A wide selection of out-of-band devices can be utilized as this second means of ID validation such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. To find out more about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services.
For 24-7 Philadelphia CryptoLocker Cleanup Help, call Progent at 800-462-8800 or go to Contact Progent.