Detroit 24/7 Emergency Crypto-Ransomware
Computer Malware Detection and Removal Support

Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses poorly prepared for an attack. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent as yet unnamed viruses, not only encrypt online critical data but also infect any configured system protection mechanisms. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make automated restoration impossible and effectively knocks the datacenter back to zero.

Recovering services and information following a ransomware event becomes a sprint against time as the victim fights to stop the spread, eradicate the ransomware, and resume enterprise-critical activity. Because ransomware needs time to replicate, attacks are often sprung at night, when penetrations are likely to take longer to notice. This compounds the difficulty of rapidly marshalling and coordinating a qualified response team.

Progent offers a variety of solutions for securing enterprises from crypto-ransomware events. These include team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with AI technology from SentinelOne to identify and quarantine zero-day threats intelligently. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and commitment to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware event, sending the ransom in cryptocurrency does not ensure that cyber criminals will return the keys to unencrypt any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom can reach millions of dollars. The fallback is to setup from scratch the vital components of your Information Technology environment. Without access to full data backups, this requires a wide range of IT skills, top notch project management, and the willingness to work continuously until the task is completed.

For two decades, Progent has offered professional IT services for companies throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience provides Progent the ability to quickly determine necessary systems and integrate the remaining pieces of your IT system after a ransomware event and rebuild them into a functioning system.

Progent's recovery team of experts utilizes top notch project management applications to orchestrate the complicated recovery process. Progent knows the urgency of working quickly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to put critical systems back online as soon as humanly possible.

Case Study: A Successful Ransomware Intrusion Response
A customer sought out Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored hackers, possibly adopting strategies exposed from the United States NSA organization. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most lucrative instances of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has around 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately utilized Progent.

Progent worked together with the client to rapidly identify and prioritize the critical applications that needed to be restored in order to continue company operations:

• Active Directory (AD)
• Microsoft Exchange
• Financials/MRP

Within two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then completed setup and storage recovery on essential systems. All Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was able to collect local OST data files (Outlook Email Offline Data Files) on team PCs and laptops in order to recover mail data. A recent offline backup of the businesses manufacturing software made it possible to restore these vital programs back on-line. Although significant work was left to recover fully from the Ryuk event, the most important systems were restored rapidly:

During the following month important milestones in the restoration project were completed in tight cooperation between Progent team members and the client:

• Internal web applications were restored without losing any information.
• The MailStore Server containing more than four million historical emails was brought online and accessible to users.
• CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were fully recovered.
• A new Palo Alto 850 firewall was deployed.
• Ninety percent of the user workstations were back into operation.

Conclusion
A likely company-ending catastrophe was dodged due to hard-working professionals, a wide array of knowledge, and tight collaboration. Although in retrospect the ransomware virus incident detailed here should have been shut down with advanced security technology solutions and best practices, team training, and appropriate incident response procedures for data backup and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and information systems restoration.

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Detroit a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to uncover zero-day strains of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

• ProSight LAN Watch: Server and Desktop Monitoring and Management
  ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT staff and your assigned Progent consultant so any potential issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

• ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Workstations
  ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based solution for monitoring and managing your network, server, and desktop devices by providing tools for performing common time-consuming jobs. These can include health checking, update management, automated remediation, endpoint deployment, backup and restore, A/V response, remote access, built-in and custom scripts, asset inventory, endpoint status reporting, and troubleshooting help. When ProSight LAN Watch with NinjaOne RMM spots a serious incident, it sends an alert to your designated IT management staff and your Progent consultant so that potential problems can be taken care of before they interfere with your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.

• ProSight WAN Watch: Infrastructure Management
  ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, track, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating appliances that require critical updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management services.

• ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
  ProSight Reporting is a growing family of real-time reporting plug-ins designed to work with the industry's leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.

• ProSight Data Protection Services (DPS): Backup and Recovery Services
  Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services, a selection of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and enable non-disruptive backup and rapid restoration of critical files, applications, images, plus VMs. ProSight DPS lets you protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, human error, malicious employees, or software bugs. Managed services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your network.

• ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
  ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to provide centralized control and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

• ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
  Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you sign into a secured application and give your password you are requested to confirm who you are on a unit that only you have and that is accessed using a separate network channel. A wide range of devices can be used as this added means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register multiple validation devices. For more information about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.

• Outsourced/Co-managed Call Center: Help Desk Managed Services
  Progent's Call Desk managed services enable your information technology team to outsource Call Center services to Progent or divide responsibilities for support services seamlessly between your in-house network support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your internal support resources. End user interaction with the Service Desk, provision of technical assistance, escalation, ticket generation and tracking, efficiency measurement, and management of the service database are cohesive whether incidents are taken care of by your core IT support group, by Progent's team, or both. Find out more about Progent's outsourced/shared Service Center services.

• Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
  Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior analysis technology to guard endpoint devices and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to manage the complete threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

• ProSight IT Asset Management: Network Documentation Management
  Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

• Patch Management: Patch Management Services
  Progent's support services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving information system. Besides maximizing the protection and functionality of your IT network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic initiatives and tasks that deliver maximum business value from your network. Read more about Progent's patch management support services.

• ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
  With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

• ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
  ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to automate the entire malware attack progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

• ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
  ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also help you to install and verify a backup and restore system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.