San Francisco 24/7/365 Critical Crypto
Malware Detection and Remediation Experts

Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Versions of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to cause damage. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with daily as yet unnamed newcomers, not only encrypt online information but also infect all available system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, it can render automated recovery impossible and effectively sets the datacenter back to square one.

Retrieving applications and information after a crypto-ransomware intrusion becomes a sprint against time as the targeted organization tries its best to stop the spread, eradicate the virus, and resume business-critical activity. Due to the fact that ransomware takes time to spread, attacks are usually launched during weekends and nights, when attacks tend to take more time to uncover. This multiplies the difficulty of rapidly assembling and orchestrating a capable mitigation team.

Progent has an assortment of solutions for protecting businesses from ransomware events. Among these are staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with artificial intelligence capabilities from SentinelOne to discover and suppress zero-day cyber threats quickly. Progent in addition can provide the services of experienced ransomware recovery professionals with the talent and perseverance to restore a breached network as soon as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will return the codes to unencrypt all your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The fallback is to re-install the vital parts of your IT environment. Absent access to full system backups, this calls for a wide range of IT skills, top notch team management, and the ability to work 24x7 until the job is over.

For two decades, Progent has made available certified expert Information Technology services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the ability to knowledgably identify important systems and re-organize the surviving parts of your network system following a ransomware event and rebuild them into a functioning network.

Progent's ransomware group deploys top notch project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of working swiftly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to get critical systems back online as soon as possible.

Client Story: A Successful Ransomware Intrusion Recovery
A business contacted Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, possibly using technology leaked from the U.S. NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is among the most profitable versions of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than $200K) and praying for good luck, but in the end reached out to Progent.

Progent worked hand in hand the client to quickly assess and assign priority to the key systems that had to be restored to make it possible to restart company functions:

• Active Directory (AD)
• Microsoft Exchange Email
• Accounting and Manufacturing Software

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and storage recovery on needed applications. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Folder Files) on team workstations and laptops in order to recover mail information. A not too old off-line backup of the customer's financials/ERP software made them able to recover these required programs back servicing users. Although a large amount of work remained to recover completely from the Ryuk damage, the most important systems were returned to operations rapidly:

Throughout the next couple of weeks important milestones in the recovery process were achieved through tight collaboration between Progent consultants and the customer:

• In-house web sites were returned to operation without losing any data.
• The MailStore Microsoft Exchange Server with over four million archived messages was brought on-line and available for users.
• CRM/Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were 100 percent functional.
• A new Palo Alto Networks 850 security appliance was installed and configured.
• Most of the user PCs were back into operation.

Conclusion
A probable business extinction catastrophe was evaded by dedicated professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the ransomware virus incident detailed here could have been shut down with up-to-date cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and information systems restoration.

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in San Francisco a portfolio of online monitoring and security assessment services to help you to reduce the threat from ransomware. These services include next-generation machine learning technology to uncover zero-day variants of ransomware that are able to escape detection by traditional signature-based security products.

• ProSight LAN Watch: Server and Desktop Monitoring
  ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT staff and your assigned Progent consultant so that all looming issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

• ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Desktops
  ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based solution for managing your network, server, and desktop devices by offering an environment for streamlining common tedious jobs. These can include health monitoring, patch management, automated repairs, endpoint deployment, backup and restore, anti-virus defense, remote access, built-in and custom scripts, asset inventory, endpoint status reporting, and debugging help. If ProSight LAN Watch with NinjaOne RMM identifies a serious incident, it sends an alarm to your specified IT management personnel and your assigned Progent consultant so emerging problems can be fixed before they impact your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.

• ProSight WAN Watch: Network Infrastructure Management
  ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network maps are always current, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, finding appliances that need critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

• ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
  ProSight Reporting is a growing line of real-time and in-depth management reporting plug-ins designed to integrate with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.

• ProSight Data Protection Services: Backup and Disaster Recovery Services
  Progent has worked with leading backup software companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup operations and enable transparent backup and rapid recovery of important files, apps, system images, and VMs. ProSight DPS helps you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your network.

• ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
  ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security companies to deliver centralized control and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

• ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
  Progent's Duo authentication managed services incorporate Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a secured application and enter your password you are asked to verify who you are via a unit that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized for this second form of authentication including a smartphone or watch, a hardware token, a landline phone, etc. You may register multiple validation devices. For more information about ProSight Duo identity authentication services, visit Duo MFA two-factor authentication services.

• Outsourced/Co-managed Service Center: Support Desk Managed Services
  Progent's Help Center managed services permit your information technology staff to offload Call Center services to Progent or split activity for support services transparently between your internal network support staff and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless supplement to your core network support organization. User access to the Service Desk, delivery of support, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive whether issues are taken care of by your in-house network support organization, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Call Desk services.

• Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
  Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis tools to defend endpoints as well as servers and VMs against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to address the entire malware attack progression including protection, identification, containment, remediation, and forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

• ProSight IT Asset Management: Network Documentation Management
  Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

• Patch Management: Patch Management Services
  Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving information system. In addition to maximizing the protection and reliability of your IT network, Progent's patch management services free up time for your in-house IT team to concentrate on more strategic projects and tasks that derive the highest business value from your network. Find out more about Progent's patch management services.

• ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
  With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

• ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
  ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to manage the entire threat lifecycle including protection, identification, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

• ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
  Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.