Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that poses an existential danger for organizations unprepared for an attack. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus additional unnamed viruses, not only do encryption of online files but also infiltrate most accessible system backups. Information synched to cloud environments can also be ransomed. In a poorly architected system, this can render automatic restoration hopeless and effectively sets the entire system back to zero.

Recovering applications and data after a ransomware intrusion becomes a sprint against time as the targeted organization struggles to contain and eradicate the crypto-ransomware and to restore enterprise-critical activity. Because crypto-ransomware requires time to replicate, assaults are frequently sprung on weekends and holidays, when attacks in many cases take longer to detect. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.

Progent has a range of solutions for protecting businesses from ransomware attacks. These include team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with artificial intelligence capabilities from SentinelOne to detect and disable day-zero cyber threats quickly. Progent in addition can provide the assistance of seasoned ransomware recovery engineers with the skills and perseverance to restore a breached network as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will provide the codes to decipher any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the vital components of your IT environment. Absent access to essential information backups, this requires a broad range of skill sets, well-coordinated team management, and the capability to work non-stop until the task is completed.

For decades, Progent has provided expert IT services for companies in Barueri-Alphaville and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise gives Progent the ability to knowledgably understand important systems and organize the surviving parts of your Information Technology system following a ransomware attack and assemble them into a functioning network.

Progent's recovery group uses powerful project management systems to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to put the most important systems back on-line as soon as humanly possible.

Case Study: A Successful Ransomware Penetration Restoration
A client escalated to Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly using approaches leaked from America's National Security Agency. Ryuk seeks specific businesses with limited ability to sustain disruption and is one of the most lucrative instances of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200K) and hoping for good luck, but in the end made the decision to use Progent.


"I cannot thank you enough about the expertise Progent gave us during the most critical time of (our) businesses life. We would have paid the cyber criminals behind the attack if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and key servers back into operation sooner than one week was incredible. Every single expert I interacted with or e-mailed at Progent was amazingly focused on getting my company operational and was working at all hours to bail us out."

Progent worked together with the customer to quickly assess and assign priority to the critical areas that had to be addressed to make it possible to continue business functions:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To begin, Progent adhered to ransomware penetration mitigation best practices by isolating and disinfecting systems. Progent then began the work of restoring Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's financials and MRP software utilized SQL Server, which requires Active Directory services for access to the database.

In less than 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then completed setup and storage recovery of essential applications. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops in order to recover email information. A recent off-line backup of the businesses accounting/MRP software made it possible to recover these vital applications back online. Although major work needed to be completed to recover fully from the Ryuk damage, critical services were recovered quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we produced all customer sales."

Over the next couple of weeks important milestones in the recovery process were made in tight collaboration between Progent team members and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Exchange Server exceeding 4 million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were fully operational.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the desktop computers were fully operational.

"A lot of what occurred in the early hours is nearly entirely a fog for me, but we will not soon forget the commitment all of the team accomplished to help get our company back. I've trusted Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This time was a Herculean accomplishment."

Conclusion
A possible business-killing disaster was averted by top-tier professionals, a wide range of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack described here would have been identified and prevented with modern security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed incident response procedures for information protection and proper patching controls, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get some sleep after we got past the initial fire. All of you did an amazing effort, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Barueri-Alphaville a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day strains of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to manage the complete threat progression including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with leading backup technology providers to create ProSight Data Protection Services, a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup processes and enable non-disruptive backup and fast restoration of important files/folders, applications, system images, and VMs. ProSight DPS helps your business avoid data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, user error, ill-intentioned employees, or software bugs. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security vendors to deliver centralized control and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your network firewall. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of analysis for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating time-consuming network management activities, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating devices that need important software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your IT system operating efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so all potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning tools to defend endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based AV products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to address the entire malware attack progression including blocking, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Support Desk services enable your information technology group to offload Call Center services to Progent or divide responsibilities for support services transparently between your internal support team and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your in-house support group. End user interaction with the Service Desk, provision of support, escalation, ticket creation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether incidents are resolved by your corporate IT support group, by Progent, or both. Read more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT system. In addition to maximizing the security and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT team to concentrate on line-of-business initiatives and tasks that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Android, and other personal devices. Using Duo 2FA, when you log into a secured online account and give your password you are asked to verify who you are via a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be used as this second means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You can designate several verification devices. To learn more about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time and in-depth management reporting plug-ins designed to integrate with the leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Barueri-Alphaville 24-Hour CryptoLocker Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.