Ransomware : Your Feared IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that presents an extinction-level danger for organizations vulnerable to an attack. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still inflict destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as additional unnamed newcomers, not only do encryption of online data files but also infect many available system restores and backups. Data replicated to cloud environments can also be encrypted. In a poorly architected system, it can render automated recovery useless and basically knocks the datacenter back to square one.

Getting back on-line services and information after a ransomware attack becomes a race against time as the targeted organization fights to stop the spread and eradicate the ransomware and to restore business-critical activity. Because ransomware takes time to spread, assaults are often launched on weekends, when successful penetrations typically take longer to identify. This compounds the difficulty of promptly marshalling and orchestrating a capable mitigation team.

Progent provides a range of solutions for securing businesses from crypto-ransomware attacks. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with artificial intelligence capabilities to rapidly detect and disable zero-day threats. Progent in addition offers the services of seasoned crypto-ransomware recovery engineers with the skills and commitment to reconstruct a breached network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt any of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the mission-critical elements of your IT environment. Absent the availability of essential data backups, this calls for a broad complement of skill sets, well-coordinated project management, and the ability to work non-stop until the recovery project is done.

For two decades, Progent has made available professional IT services for businesses in Barueri-Alphaville and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience provides Progent the ability to quickly identify important systems and consolidate the remaining components of your Information Technology system following a ransomware event and configure them into an operational system.

Progent's ransomware team of experts utilizes top notch project management systems to coordinate the complex recovery process. Progent understands the urgency of acting swiftly and in unison with a customer’s management and Information Technology staff to assign priority to tasks and to get the most important systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Intrusion Recovery
A business engaged Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored criminal gangs, suspected of using techniques leaked from America’s NSA organization. Ryuk seeks specific organizations with little tolerance for operational disruption and is one of the most profitable examples of ransomware malware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has around 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing processes. The majority of the client's backups had been online at the time of the attack and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for the best, but in the end called Progent.


"I can’t say enough in regards to the support Progent provided us throughout the most critical time of (our) businesses existence. We had little choice but to pay the criminal gangs except for the confidence the Progent team provided us. That you were able to get our e-mail and essential applications back online in less than a week was incredible. Every single person I got help from or texted at Progent was laser focused on getting us back on-line and was working day and night on our behalf."

Progent worked with the client to rapidly determine and assign priority to the essential services that had to be recovered in order to continue business functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the task of bringing back online Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customer’s financials and MRP applications leveraged Microsoft SQL, which needs Windows AD for access to the databases.

Within 2 days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then performed setup and hard drive recovery on the most important servers. All Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Offline Folder Files) on user PCs and laptops in order to recover email data. A not too old offline backup of the client's accounting/ERP systems made it possible to recover these vital services back servicing users. Although a large amount of work remained to recover totally from the Ryuk event, the most important systems were returned to operations rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer deliverables."

During the following month critical milestones in the restoration project were accomplished through tight collaboration between Progent engineers and the client:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent restored.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the desktop computers were back into operation.

"A lot of what was accomplished that first week is mostly a haze for me, but my team will not soon forget the countless hours all of you accomplished to give us our company back. I’ve entrusted Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."

Conclusion
A likely business extinction disaster was dodged through the efforts of results-oriented professionals, a broad range of technical expertise, and close collaboration. Although in hindsight the ransomware penetration described here could have been identified and prevented with current cyber security technology solutions and best practices, team education, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for letting me get some sleep after we made it through the most critical parts. All of you did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Barueri-Alphaville a portfolio of online monitoring and security assessment services designed to assist you to minimize the threat from crypto-ransomware. These services utilize next-generation AI capability to detect zero-day strains of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to address the entire threat lifecycle including filtering, identification, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent can also help you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup technology companies to create ProSight Data Protection Services, a selection of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and track your backup processes and enable transparent backup and fast restoration of important files, apps, system images, and VMs. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to provide centralized management and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, reconfigure and debug their networking hardware such as switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding appliances that require critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by tracking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so all potential problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you’re planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior machine learning technology to defend endpoints and servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to address the entire threat lifecycle including protection, identification, containment, remediation, and forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Desk: Call Center Managed Services
    Progent's Help Desk managed services allow your IT group to offload Call Center services to Progent or split activity for Help Desk services seamlessly between your in-house support team and Progent's extensive roster of IT service engineers and subject matter experts (SBEs). Progent's Co-managed Service Desk offers a seamless supplement to your in-house support resources. End user interaction with the Help Desk, provision of support services, problem escalation, trouble ticket creation and tracking, efficiency metrics, and management of the service database are cohesive whether issues are resolved by your corporate network support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving IT system. Besides optimizing the security and reliability of your computer network, Progent's patch management services free up time for your in-house IT team to concentrate on line-of-business initiatives and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation with iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a secured online account and enter your password you are requested to confirm who you are on a unit that only you have and that uses a different network channel. A broad range of devices can be used for this second means of ID validation including a smartphone or watch, a hardware token, a landline phone, etc. You may designate multiple verification devices. To find out more about Duo identity validation services, refer to Duo MFA two-factor authentication services for access security.
For 24x7x365 Barueri-Alphaville Crypto Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.