Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for organizations vulnerable to an attack. Versions of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and continue to cause harm. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional as yet unnamed newcomers, not only do encryption of online critical data but also infiltrate all accessible system protection mechanisms. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, it can render automatic restore operations impossible and effectively sets the network back to zero.

Getting back programs and data following a crypto-ransomware attack becomes a race against time as the targeted business struggles to contain and cleanup the ransomware and to restore enterprise-critical activity. Because ransomware needs time to replicate, assaults are often sprung during weekends and nights, when penetrations are likely to take more time to uncover. This multiplies the difficulty of promptly mobilizing and organizing an experienced response team.

Progent provides a range of solutions for protecting organizations from crypto-ransomware penetrations. Among these are user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with machine learning capabilities from SentinelOne to discover and extinguish new threats quickly. Progent also provides the services of veteran crypto-ransomware recovery professionals with the talent and commitment to reconstruct a compromised network as soon as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the needed keys to decipher any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the key components of your IT environment. Without access to complete data backups, this requires a broad complement of IT skills, well-coordinated project management, and the willingness to work non-stop until the recovery project is complete.

For decades, Progent has offered certified expert Information Technology services for businesses in Mesa and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of expertise provides Progent the ability to quickly determine important systems and consolidate the surviving components of your computer network environment after a ransomware attack and assemble them into a functioning network.

Progent's security group uses best of breed project management applications to coordinate the complex restoration process. Progent knows the importance of working rapidly and in concert with a client's management and Information Technology team members to prioritize tasks and to get essential applications back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Incident Recovery
A customer sought out Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored criminal gangs, suspected of adopting technology exposed from the United States NSA organization. Ryuk goes after specific companies with little or no tolerance for operational disruption and is one of the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago and has about 500 staff members. The Ryuk attack had disabled all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the start of the attack and were eventually encrypted. The client considered paying the ransom (more than $200K) and praying for good luck, but in the end reached out to Progent.


"I can�t thank you enough in regards to the expertise Progent gave us throughout the most fearful period of (our) company�s life. We would have paid the cybercriminals except for the confidence the Progent group afforded us. The fact that you could get our messaging and key applications back faster than one week was incredible. Every single staff member I talked with or messaged at Progent was absolutely committed on getting my company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the critical areas that had to be addressed in order to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by stopping the spread and disinfecting systems. Progent then started the steps of rebuilding Microsoft AD, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not operate without Active Directory, and the client's MRP software utilized Microsoft SQL Server, which depends on Active Directory services for access to the databases.

In less than 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then assisted with rebuilding and storage recovery of critical applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Data Files) on staff workstations in order to recover mail data. A not too old offline backup of the customer�s accounting software made it possible to restore these required applications back servicing users. Although major work needed to be completed to recover fully from the Ryuk event, the most important services were recovered rapidly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer deliverables."

During the next few weeks key milestones in the restoration process were accomplished in tight collaboration between Progent engineers and the customer:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server with over four million archived messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto 850 security appliance was set up.
  • Most of the user desktops and notebooks were fully operational.

"A huge amount of what was accomplished those first few days is nearly entirely a haze for me, but we will not forget the care all of you put in to help get our business back. I�ve entrusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This time was no exception but maybe more Herculean."

Conclusion
A probable business extinction disaster was avoided through the efforts of results-oriented professionals, a wide spectrum of IT skills, and close collaboration. Although in retrospect the ransomware attack detailed here would have been identified and disabled with current cyber security systems and recognized best practices, team education, and properly executed security procedures for data protection and applying software patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I�m grateful for letting me get rested after we made it through the initial fire. Everyone did an fabulous job, and if any of your team is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Mesa a variety of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to detect zero-day variants of ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that allows you prove compliance with government and industry data protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent attention. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup processes and allow transparent backup and rapid restoration of important files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, user error, ill-intentioned employees, or software glitches. Managed services available in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to provide centralized control and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, reconfigure and debug their networking hardware such as switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating complex management activities, WAN Watch can knock hours off common chores like network mapping, expanding your network, finding appliances that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your assigned Progent consultant so any looming issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Since the system is virtualized, it can be moved easily to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior analysis technology to defend endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely evade legacy signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to address the entire threat progression including protection, identification, mitigation, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Call Center managed services enable your information technology team to outsource Call Center services to Progent or divide activity for support services transparently between your in-house network support resources and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth extension of your corporate support resources. Client interaction with the Help Desk, delivery of support, escalation, trouble ticket creation and tracking, efficiency metrics, and maintenance of the support database are cohesive whether incidents are taken care of by your corporate IT support staff, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. Besides maximizing the security and functionality of your IT network, Progent's software/firmware update management services permit your IT staff to focus on more strategic projects and tasks that deliver maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against password theft by using two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a secured application and give your password you are asked to confirm your identity on a unit that only you have and that uses a different ("out-of-band") network channel. A wide selection of devices can be used for this added means of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register several verification devices. To find out more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication services for access security.
For Mesa 24/7/365 CryptoLocker Removal Consulting, contact Progent at 800-462-8800 or go to Contact Progent.