Miami Beach 24-7 Critical Ransomware
Infection Damage Assessment and Recovery Support

Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyberplague that poses an extinction-level danger for organizations unprepared for an assault. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with more unnamed newcomers, not only encrypt online information but also infect all configured system protection mechanisms. Information replicated to off-site disaster recovery sites can also be held hostage. In a poorly designed system, it can render automatic restore operations impossible and basically sets the entire system back to zero.

Retrieving applications and data following a ransomware attack becomes a sprint against the clock as the victim fights to stop the spread, clear the ransomware, and resume mission-critical activity. Because ransomware requires time to replicate, assaults are often launched on weekends, when successful penetrations are likely to take more time to uncover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.

Progent provides a range of services for protecting organizations from crypto-ransomware events. These include team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to detect and disable zero-day threats automatically. Progent also can provide the services of seasoned ransomware recovery engineers with the talent and perseverance to restore a breached environment as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will respond with the keys to unencrypt any of your files. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The other path is to piece back together the key elements of your Information Technology environment. Absent access to essential data backups, this requires a broad complement of skills, top notch project management, and the capability to work 24x7 until the recovery project is done.

For two decades, Progent has made available professional Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to knowledgably understand important systems and integrate the remaining pieces of your Information Technology environment following a ransomware attack and assemble them into a functioning network.

Progent's ransomware team of experts utilizes powerful project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and in concert with a client's management and Information Technology staff to prioritize tasks and to get essential applications back online as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Response
A customer sought out Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored cybercriminals, possibly using approaches exposed from the United States National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain disruption and is one of the most lucrative versions of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk event had shut down all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and praying for the best, but in the end called Progent.

Progent worked together with the client to quickly understand and prioritize the key areas that needed to be restored in order to resume company functions:

• Microsoft Active Directory
• Microsoft Exchange Email
• Financials/MRP

In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed rebuilding and hard drive recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Folder Files) on various workstations and laptops in order to recover mail messages. A recent offline backup of the client's financials/ERP software made it possible to restore these vital programs back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, critical systems were recovered quickly:

Throughout the next month important milestones in the restoration project were achieved in tight cooperation between Progent team members and the customer:

• Self-hosted web applications were brought back up without losing any information.
• The MailStore Microsoft Exchange Server exceeding four million historical emails was brought online and available for users.
• CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were 100% operational.
• A new Palo Alto 850 firewall was brought on-line.
• Ninety percent of the user desktops were fully operational.

Conclusion
A probable enterprise-killing disaster was evaded due to results-oriented experts, a wide array of IT skills, and close collaboration. Although in post mortem the ransomware virus penetration detailed here should have been identified and blocked with current security technology solutions and ISO/IEC 27001 best practices, team education, and properly executed incident response procedures for data backup and proper patching controls, the reality is that government-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, removal, and file disaster recovery.

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Miami Beach a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of ransomware that are able to get past traditional signature-based security products.

• ProSight LAN Watch: Server and Desktop Remote Monitoring
  ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that any potential problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

• ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
  ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based platform for managing your network, server, and desktop devices by providing tools for performing common time-consuming tasks. These can include health monitoring, patch management, automated remediation, endpoint configuration, backup and restore, anti-virus response, remote access, built-in and custom scripts, asset inventory, endpoint profile reporting, and troubleshooting support. When ProSight LAN Watch with NinjaOne RMM spots a serious problem, it sends an alert to your specified IT management personnel and your Progent consultant so that emerging issues can be fixed before they interfere with productivity. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.

• ProSight WAN Watch: Infrastructure Management
  ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, enhance and debug their networking hardware such as routers and switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept current, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off common chores like network mapping, expanding your network, finding devices that need critical software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

• ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
  ProSight Reporting is a growing suite of real-time and in-depth reporting tools created to work with the top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.

• ProSight Data Protection Services: Backup and Disaster Recovery Services
  Progent has partnered with advanced backup software providers to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and allow non-disruptive backup and fast restoration of critical files/folders, applications, system images, plus VMs. ProSight DPS lets you protect against data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious employees, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.

• ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
  ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to deliver web-based control and comprehensive protection for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the local security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

• ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
  Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Android, and other personal devices. With Duo 2FA, when you sign into a protected online account and give your password you are asked to confirm who you are on a device that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be used for this added means of authentication including a smartphone or watch, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. To find out more about ProSight Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.

• Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
  Progent's Support Desk services allow your information technology group to outsource Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal support group and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a seamless extension of your core network support team. End user interaction with the Help Desk, delivery of support, escalation, trouble ticket generation and tracking, efficiency metrics, and maintenance of the service database are consistent regardless of whether incidents are taken care of by your corporate support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Desk services.

• Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
  Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior analysis tools to defend endpoints as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus products. Progent ASM services safeguard local and cloud resources and offers a single platform to automate the complete threat lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.

• ProSight IT Asset Management: Network Documentation Management
  ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can eliminate as much as 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.

• Progent's Patch Management: Software/Firmware Update Management Services
  Progent's managed services for software and firmware patch management offer businesses of any size a versatile and affordable solution for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. Besides maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT team to focus on line-of-business projects and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management support services.

• ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
  With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

• ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
  ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to address the entire malware attack progression including filtering, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

• ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
  ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge tools packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your company's specific needs and that allows you prove compliance with legal and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.