Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyber pandemic that presents an existential threat for organizations poorly prepared for an assault. Different iterations of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional as yet unnamed viruses, not only do encryption of online critical data but also infect any accessible system protection mechanisms. Data synched to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, this can make automatic recovery hopeless and basically knocks the datacenter back to zero.

Getting back online programs and data following a ransomware outage becomes a sprint against time as the targeted organization fights to contain the damage, clear the ransomware, and restore enterprise-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are often sprung during nights and weekends, when penetrations in many cases take longer to identify. This compounds the difficulty of quickly marshalling and organizing a capable response team.

Progent has a variety of services for protecting businesses from ransomware events. These include user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with machine learning capabilities from SentinelOne to discover and disable new cyber threats automatically. Progent in addition provides the services of expert crypto-ransomware recovery engineers with the track record and commitment to restore a breached system as quickly as possible.

Progent's Ransomware Recovery Help
After a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the codes to decrypt all your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The other path is to setup from scratch the essential components of your IT environment. Without the availability of complete data backups, this calls for a wide range of IT skills, professional project management, and the willingness to work continuously until the recovery project is finished.

For decades, Progent has provided certified expert Information Technology services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise affords Progent the skills to rapidly identify important systems and integrate the remaining pieces of your Information Technology system following a ransomware event and assemble them into a functioning system.

Progent's ransomware team of experts deploys top notch project management applications to coordinate the complex restoration process. Progent understands the importance of acting rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to get critical applications back on-line as soon as possible.

Case Study: A Successful Ransomware Intrusion Restoration
A customer sought out Progent after their network system was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored hackers, possibly using algorithms leaked from the U.S. NSA organization. Ryuk goes after specific companies with little ability to sustain disruption and is among the most profitable versions of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago with about 500 staff members. The Ryuk attack had disabled all business operations and manufacturing processes. The majority of the client's system backups had been online at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (more than $200K) and hoping for good luck, but in the end called Progent.


"I can't thank you enough in regards to the support Progent provided us during the most critical time of (our) company's survival. We most likely would have paid the Hackers except for the confidence the Progent group provided us. That you were able to get our e-mail and essential servers back into operation sooner than seven days was beyond my wildest dreams. Each expert I spoke to or e-mailed at Progent was absolutely committed on getting us restored and was working breakneck pace on our behalf."

Progent worked with the customer to rapidly get our arms around and prioritize the most important areas that had to be recovered in order to resume business functions:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent followed AV/Malware Processes penetration response best practices by halting the spread and performing virus removal steps. Progent then began the work of restoring Windows Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the customer's accounting and MRP software utilized Microsoft SQL, which requires Active Directory services for authentication to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then completed setup and storage recovery of key systems. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Folder Files) on various workstations to recover mail information. A not too old offline backup of the customer's accounting software made them able to recover these required applications back servicing users. Although a lot of work was left to recover fully from the Ryuk event, critical systems were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer sales."

Throughout the following couple of weeks key milestones in the recovery process were accomplished through tight collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the desktops and laptops were back into operation.

"Much of what happened that first week is nearly entirely a blur for me, but my management will not soon forget the urgency each of you accomplished to give us our business back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was a testament to your capabilities."

Conclusion
A potential business-ending disaster was avoided by dedicated professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware attack detailed here could have been shut down with advanced cyber security solutions and best practices, staff training, and well designed incident response procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for letting me get some sleep after we got past the initial push. Everyone did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Mesa a portfolio of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include modern artificial intelligence technology to detect new variants of ransomware that can get past traditional signature-based security solutions.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management technology to help keep your IT system running at peak levels by tracking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT personnel and your assigned Progent consultant so all potential problems can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Desktops
    ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based platform for monitoring and managing your client-server infrastructure by offering an environment for streamlining common time-consuming tasks. These can include health checking, patch management, automated repairs, endpoint configuration, backup and recovery, A/V protection, secure remote access, built-in and custom scripts, asset inventory, endpoint profile reporting, and troubleshooting support. If ProSight LAN Watch with NinjaOne RMM spots a serious issue, it sends an alarm to your specified IT management personnel and your Progent technical consultant so potential problems can be taken care of before they interfere with productivity. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, optimize and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are discovered. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, locating appliances that require important software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time and in-depth reporting tools designed to work with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and track your backup operations and enable non-disruptive backup and rapid recovery of important files, applications, system images, and virtual machines. ProSight DPS helps you avoid data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to deliver centralized control and comprehensive protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of analysis for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured application and enter your password you are requested to confirm who you are via a device that only you possess and that uses a separate network channel. A broad selection of out-of-band devices can be used for this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can designate several verification devices. For more information about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Call Center services permit your IT team to offload Help Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support staff and Progent's extensive pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a transparent extension of your core network support staff. End user access to the Service Desk, delivery of technical assistance, escalation, ticket generation and updates, performance measurement, and maintenance of the support database are cohesive whether incidents are resolved by your internal support staff, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Center services.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior analysis technology to guard endpoint devices as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely evade traditional signature-based AV tools. Progent ASM services protect local and cloud resources and provides a single platform to manage the complete threat lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can save as much as half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a versatile and affordable solution for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT network. Besides maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT staff to focus on more strategic initiatives and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a single platform to address the entire threat progression including protection, identification, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you demonstrate compliance with government and industry information protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
For 24/7 Mesa Crypto-Ransomware Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.