Ransomware : Your Feared IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that presents an enterprise-level threat for organizations unprepared for an assault. Versions of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as frequent as yet unnamed viruses, not only encrypt online information but also infect all available system backups. Data replicated to cloud environments can also be corrupted. In a poorly architected data protection solution, it can make any recovery hopeless and basically knocks the datacenter back to square one.

Retrieving applications and data following a crypto-ransomware intrusion becomes a race against time as the targeted business fights to contain the damage, cleanup the ransomware, and resume enterprise-critical activity. Because crypto-ransomware requires time to spread, assaults are frequently launched during weekends and nights, when penetrations are likely to take more time to discover. This compounds the difficulty of promptly marshalling and organizing a capable response team.

Progent has a variety of solutions for protecting businesses from crypto-ransomware penetrations. These include user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with machine learning technology from SentinelOne to detect and quarantine new cyber attacks quickly. Progent in addition offers the services of seasoned crypto-ransomware recovery consultants with the talent and commitment to restore a compromised network as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the codes to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom can be in the millions. The fallback is to piece back together the critical elements of your IT environment. Absent the availability of essential data backups, this requires a wide range of IT skills, professional team management, and the willingness to work 24x7 until the job is completed.

For twenty years, Progent has provided certified expert IT services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise gives Progent the ability to knowledgably ascertain necessary systems and re-organize the surviving parts of your network environment after a ransomware penetration and assemble them into an operational system.

Progent's security team uses top notch project management systems to coordinate the complex recovery process. Progent knows the urgency of acting quickly and together with a customer's management and IT staff to assign priority to tasks and to put essential applications back on-line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Recovery
A business hired Progent after their company was brought down by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state hackers, suspected of using approaches exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little room for disruption and is among the most profitable versions of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200K) and hoping for good luck, but in the end made the decision to use Progent.


"I can't speak enough in regards to the care Progent provided us throughout the most critical time of (our) company's survival. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent experts gave us. That you could get our e-mail and essential applications back faster than five days was beyond my wildest dreams. Each staff member I worked with or messaged at Progent was absolutely committed on getting our system up and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly understand and prioritize the essential services that needed to be addressed in order to restart company operations:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To get going, Progent adhered to ransomware penetration mitigation industry best practices by isolating and cleaning up infected systems. Progent then began the work of bringing back online Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the customer's financials and MRP software utilized Microsoft SQL, which needs Active Directory services for security authorization to the databases.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of the most important systems. All Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Data Files) on user workstations and laptops in order to recover mail data. A recent offline backup of the client's manufacturing systems made them able to recover these required applications back available to users. Although a large amount of work remained to recover totally from the Ryuk attack, core systems were recovered quickly:


"For the most part, the production operation was never shut down and we delivered all customer orders."

Throughout the next couple of weeks key milestones in the recovery process were completed through close cooperation between Progent team members and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user PCs were fully operational.

"Much of what occurred during the initial response is nearly entirely a fog for me, but my team will not soon forget the urgency all of the team accomplished to help get our business back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A potential enterprise-killing disaster was avoided by hard-working experts, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here would have been blocked with modern security technology solutions and NIST Cybersecurity Framework best practices, staff education, and appropriate security procedures for information protection and applying software patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for making it so I could get some sleep after we made it through the most critical parts. Everyone did an impressive effort, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Petaluma a portfolio of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include next-generation AI technology to uncover zero-day strains of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete malware attack lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you prove compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate action. Progent can also help your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology providers to create ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and allow non-disruptive backup and fast restoration of critical files, applications, images, plus VMs. ProSight DPS helps you avoid data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, user error, ill-intentioned employees, or software glitches. Managed backup services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to provide web-based management and world-class protection for all your email traffic. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, track, reconfigure and debug their networking hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and displays the configuration of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating time-consuming management activities, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding devices that require critical software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that all looming problems can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior-based machine learning technology to defend endpoint devices as well as servers and VMs against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to manage the complete malware attack progression including blocking, detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Help Desk managed services allow your information technology team to outsource Help Desk services to Progent or split activity for Service Desk support transparently between your in-house network support group and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your in-house IT support organization. End user access to the Service Desk, provision of support, problem escalation, ticket generation and tracking, performance measurement, and maintenance of the service database are cohesive whether issues are resolved by your internal network support organization, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and affordable alternative for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. Besides maximizing the protection and reliability of your IT environment, Progent's patch management services permit your IT staff to focus on line-of-business projects and tasks that deliver maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a secured application and enter your password you are requested to confirm your identity via a device that only you possess and that uses a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized as this second form of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For details about Duo identity authentication services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time management reporting utilities created to work with the top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For Petaluma 24x7 Crypto Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.