Fresno 24-Hour Critical Ransomware
Computer Virus Damage Assessment and Restoration Support

Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an existential danger for organizations unprepared for an attack. Versions of ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to cause destruction. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as additional unnamed viruses, not only encrypt online information but also infect many accessible system backups. Files synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, it can render any restoration impossible and basically sets the entire system back to zero.

Retrieving applications and information after a ransomware intrusion becomes a race against time as the victim struggles to stop lateral movement, clear the ransomware, and restore enterprise-critical operations. Due to the fact that crypto-ransomware takes time to spread, penetrations are frequently launched during weekends and nights, when attacks are likely to take longer to discover. This compounds the difficulty of quickly assembling and coordinating an experienced response team.

Progent provides a range of support services for securing businesses from crypto-ransomware penetrations. Among these are team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with artificial intelligence capabilities from SentinelOne to identify and suppress day-zero cyber attacks intelligently. Progent in addition can provide the assistance of experienced ransomware recovery professionals with the skills and perseverance to rebuild a breached environment as urgently as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware invasion, even paying the ransom in cryptocurrency does not ensure that merciless criminals will return the needed codes to unencrypt any of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The other path is to setup from scratch the vital parts of your IT environment. Absent access to essential system backups, this calls for a wide complement of skill sets, top notch project management, and the capability to work non-stop until the task is over.

For twenty years, Progent has provided professional IT services for businesses throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise gives Progent the ability to knowledgably determine critical systems and re-organize the remaining pieces of your computer network system following a ransomware attack and assemble them into an operational network.

Progent's recovery team of experts utilizes state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent appreciates the importance of acting rapidly and together with a client's management and Information Technology staff to prioritize tasks and to get key applications back on line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Incident Response
A small business contacted Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean government sponsored hackers, suspected of using techniques exposed from America's National Security Agency. Ryuk attacks specific businesses with limited room for operational disruption and is among the most profitable instances of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the attack and were eventually encrypted. The client considered paying the ransom (in excess of $200K) and wishfully thinking for good luck, but in the end called Progent.

Progent worked together with the customer to quickly understand and assign priority to the mission critical services that had to be restored to make it possible to restart company functions:

• Active Directory (AD)
• Email
• Accounting and Manufacturing Software

Within two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery on the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Off-Line Folder Files) on staff workstations to recover mail data. A recent off-line backup of the client's accounting/ERP software made them able to recover these required services back online. Although significant work still had to be done to recover totally from the Ryuk damage, core services were returned to operations quickly:

During the following few weeks key milestones in the restoration process were made through close collaboration between Progent team members and the client:

• Internal web sites were brought back up without losing any data.
• The MailStore Exchange Server containing more than 4 million historical emails was brought online and accessible to users.
• CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
• A new Palo Alto Networks 850 firewall was set up and programmed.
• Ninety percent of the user desktops were fully operational.

Conclusion
A potential business-killing disaster was avoided with results-oriented professionals, a broad spectrum of knowledge, and close collaboration. Although in post mortem the ransomware attack detailed here would have been disabled with current security technology and recognized best practices, user education, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, mitigation, and data disaster recovery.

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Fresno a range of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize modern AI technology to detect new strains of ransomware that are able to evade traditional signature-based anti-virus solutions.

• ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
  ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to keep your network running at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT personnel and your Progent engineering consultant so that any potential problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

• ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
  ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-driven solution for managing your client-server infrastructure by providing tools for performing common tedious jobs. These include health checking, update management, automated remediation, endpoint setup, backup and restore, anti-virus response, secure remote access, built-in and custom scripts, asset inventory, endpoint profile reporting, and debugging help. If ProSight LAN Watch with NinjaOne RMM spots a serious issue, it transmits an alert to your designated IT personnel and your Progent consultant so emerging problems can be taken care of before they interfere with productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.

• ProSight WAN Watch: Network Infrastructure Management
  ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, track, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when issues are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding devices that need important software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

• ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
  ProSight Reporting is an expanding suite of real-time and in-depth reporting plug-ins created to work with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.

• ProSight Data Protection Services: Backup and Recovery Services
  Progent has worked with advanced backup technology companies to produce ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and allow non-disruptive backup and fast restoration of important files, applications, images, plus virtual machines. ProSight DPS helps you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, malicious employees, or application glitches. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your IT environment.

• ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
  ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to provide web-based management and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

• ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
  Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against password theft by using two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a secured online account and give your password you are asked to verify your identity via a device that only you have and that is accessed using a different network channel. A broad selection of devices can be utilized for this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate several validation devices. For details about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services.

• Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
  Progent's Call Desk managed services enable your information technology staff to offload Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house network support staff and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your core support group. End user access to the Help Desk, provision of support services, problem escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are cohesive regardless of whether issues are resolved by your in-house IT support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Center services.

• Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
  Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior analysis tools to defend endpoint devices and servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud-based resources and provides a single platform to address the entire malware attack progression including blocking, identification, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

• ProSight IT Asset Management: Network Documentation Management
  ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

• Progent's Patch Management: Patch Management Services
  Progent's support services for patch management offer organizations of any size a flexible and affordable alternative for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information system. In addition to optimizing the security and reliability of your IT environment, Progent's patch management services allow your IT team to concentrate on line-of-business projects and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

• ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
  With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

• ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
  ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the complete threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

• ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
  ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you prove compliance with government and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.