Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Different versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict havoc. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus daily as yet unnamed viruses, not only encrypt on-line data files but also infiltrate many accessible system restores and backups. Files replicated to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can make automatic restore operations hopeless and basically sets the entire system back to zero.

Retrieving services and information after a crypto-ransomware event becomes a sprint against time as the targeted organization fights to contain the damage and remove the virus and to resume business-critical operations. Due to the fact that ransomware requires time to replicate, assaults are usually sprung at night, when attacks tend to take longer to detect. This multiplies the difficulty of quickly assembling and organizing a knowledgeable response team.

Progent makes available an assortment of services for protecting organizations from crypto-ransomware penetrations. These include team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security appliances with machine learning capabilities from SentinelOne to discover and suppress new cyber threats automatically. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the talent and perseverance to restore a breached system as quickly as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to unencrypt any of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the vital elements of your IT environment. Without access to full data backups, this calls for a broad complement of IT skills, professional team management, and the willingness to work continuously until the job is complete.

For twenty years, Progent has offered certified expert IT services for companies in Seattle and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience affords Progent the ability to knowledgably identify critical systems and re-organize the remaining pieces of your computer network system after a ransomware attack and assemble them into an operational system.

Progent's recovery team has top notch project management tools to orchestrate the complicated recovery process. Progent knows the importance of working swiftly and in unison with a customer�s management and IT team members to assign priority to tasks and to put the most important applications back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Incident Restoration
A client hired Progent after their company was crashed by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state hackers, suspected of adopting technology exposed from the United States NSA organization. Ryuk seeks specific businesses with limited room for disruption and is among the most profitable instances of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the attack and were encrypted. The client was actively seeking loans for paying the ransom (more than $200,000) and praying for the best, but ultimately brought in Progent.


"I cannot say enough in regards to the expertise Progent provided us throughout the most stressful time of (our) company�s survival. We most likely would have paid the cybercriminals except for the confidence the Progent group provided us. That you were able to get our messaging and important applications back online in less than a week was beyond my wildest dreams. Each staff member I interacted with or communicated with at Progent was totally committed on getting us operational and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to quickly identify and assign priority to the most important areas that had to be addressed in order to resume company operations:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent followed Anti-virus penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then initiated the process of bringing back online Windows Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the client's accounting and MRP software leveraged Microsoft SQL, which requires Active Directory services for authentication to the data.

Within 48 hours, Progent was able to recover Active Directory services to its pre-penetration state. Progent then performed rebuilding and hard drive recovery of key servers. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Folder Files) on user workstations to recover email messages. A recent off-line backup of the businesses manufacturing software made it possible to recover these required programs back on-line. Although major work needed to be completed to recover completely from the Ryuk attack, essential services were recovered quickly:


"For the most part, the production line operation never missed a beat and we produced all customer sales."

Throughout the next few weeks important milestones in the recovery project were achieved through close collaboration between Progent engineers and the client:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user workstations were functioning as before the incident.

"A huge amount of what occurred that first week is mostly a blur for me, but I will not soon forget the urgency each of the team accomplished to give us our company back. I have been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A likely business extinction catastrophe was averted due to hard-working experts, a broad range of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware attack described here should have been shut down with current cyber security technology solutions and NIST Cybersecurity Framework best practices, team training, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), I�m grateful for allowing me to get rested after we got past the initial fire. Everyone did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Seattle a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate next-generation machine learning capability to detect new variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the complete threat progression including filtering, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your company's specific needs and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent can also assist you to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a portfolio of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable non-disruptive backup and fast recovery of critical files/folders, apps, system images, plus virtual machines. ProSight DPS lets you recover from data loss caused by equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight Data Protection Services product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security vendors to deliver centralized control and world-class security for your inbound and outbound email. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration of almost all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that need important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent consultant so any potential issues can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to address the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Support Desk managed services permit your information technology staff to outsource Help Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support resources and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a smooth supplement to your corporate support resources. User interaction with the Service Desk, delivery of support services, issue escalation, ticket creation and updates, efficiency metrics, and management of the service database are cohesive whether issues are taken care of by your core support resources, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT system. Besides maximizing the protection and reliability of your IT network, Progent's patch management services free up time for your in-house IT staff to concentrate on line-of-business projects and tasks that deliver maximum business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to verify your identity via a unit that only you possess and that is accessed using a different network channel. A wide selection of devices can be used for this added means of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can designate multiple verification devices. For details about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication services.
For 24/7 Seattle Crypto Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.