Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an existential threat for businesses unprepared for an attack. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional as yet unnamed malware, not only encrypt online critical data but also infiltrate any configured system restores and backups. Information replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, this can render any restoration hopeless and effectively sets the datacenter back to square one.

Getting back programs and information following a ransomware intrusion becomes a race against time as the victim struggles to contain and eradicate the crypto-ransomware and to restore enterprise-critical activity. Since ransomware takes time to move laterally, assaults are often sprung at night, when successful attacks are likely to take longer to uncover. This compounds the difficulty of promptly marshalling and orchestrating a capable mitigation team.

Progent offers an assortment of services for securing enterprises from ransomware penetrations. These include team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with AI technology from SentinelOne to detect and suppress day-zero cyber attacks automatically. Progent also offers the assistance of seasoned ransomware recovery professionals with the talent and commitment to re-deploy a breached environment as soon as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to decipher all your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the essential parts of your Information Technology environment. Absent the availability of full system backups, this calls for a wide range of skill sets, well-coordinated team management, and the ability to work continuously until the job is over.

For twenty years, Progent has made available professional IT services for businesses in Barueri-Alphaville and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained top industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise provides Progent the skills to efficiently identify important systems and consolidate the surviving components of your computer network environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's ransomware group deploys top notch project management systems to orchestrate the complicated restoration process. Progent knows the importance of working quickly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get key services back online as fast as possible.

Case Study: A Successful Ransomware Virus Restoration
A customer engaged Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state criminal gangs, suspected of using technology leaked from the United States National Security Agency. Ryuk attacks specific businesses with little ability to sustain operational disruption and is one of the most lucrative instances of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago with around 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the intrusion and were destroyed. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most critical period of (our) company�s survival. We most likely would have paid the hackers behind this attack except for the confidence the Progent experts provided us. That you were able to get our e-mail system and important servers back into operation in less than one week was amazing. Every single staff member I talked with or messaged at Progent was absolutely committed on getting us restored and was working 24 by 7 to bail us out."

Progent worked with the customer to rapidly get our arms around and assign priority to the essential services that had to be recovered in order to restart business functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Financials/MRP
To get going, Progent followed AV/Malware Processes event mitigation best practices by isolating and clearing up compromised systems. Progent then started the process of bringing back online Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businesses� accounting and MRP applications utilized Microsoft SQL, which depends on Active Directory for authentication to the information.

Within two days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery of needed applications. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Email Offline Data Files) on staff desktop computers and laptops in order to recover mail information. A not too old offline backup of the client's financials/MRP software made it possible to restore these essential programs back on-line. Although major work still had to be done to recover completely from the Ryuk event, essential systems were restored quickly:


"For the most part, the assembly line operation showed little impact and we delivered all customer shipments."

During the next month key milestones in the restoration process were accomplished through close collaboration between Progent team members and the customer:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"Much of what went on in the early hours is mostly a fog for me, but my team will not forget the urgency each of you accomplished to give us our business back. I�ve entrusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This event was the most impressive ever."

Conclusion
A probable business-ending catastrophe was avoided through the efforts of results-oriented experts, a broad array of subject matter expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here could have been identified and blocked with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we got over the most critical parts. Everyone did an incredible effort, and if any of your team is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Barueri-Alphaville a variety of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to detect new variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to manage the entire malware attack progression including filtering, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent's consultants can also assist you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services, a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup operations and allow non-disruptive backup and fast recovery of vital files, apps, system images, plus virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment failures, natural disasters, fire, malware such as ransomware, human mistakes, malicious employees, or software bugs. Managed services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to deliver centralized management and world-class protection for all your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, optimize and troubleshoot their networking hardware such as routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating tedious management activities, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding devices that require important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent’s server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your Progent consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you’re planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend endpoints as well as servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to automate the entire malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Support Center managed services enable your IT group to outsource Call Center services to Progent or split activity for Help Desk services transparently between your in-house support resources and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless supplement to your core IT support group. End user access to the Help Desk, delivery of technical assistance, problem escalation, ticket generation and tracking, performance metrics, and management of the support database are cohesive regardless of whether issues are resolved by your core IT support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a versatile and affordable alternative for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving information system. In addition to optimizing the security and reliability of your computer network, Progent's patch management services permit your IT team to concentrate on line-of-business initiatives and activities that deliver the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo enables one-tap identity verification with Apple iOS, Google Android, and other personal devices. With 2FA, when you log into a secured application and give your password you are requested to verify who you are via a unit that only you possess and that is accessed using a separate network channel. A wide range of devices can be used as this second means of authentication including a smartphone or wearable, a hardware token, a landline telephone, etc. You may designate multiple validation devices. To find out more about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication services.
For Barueri-Alphaville 24/7/365 Ransomware Remediation Services, call Progent at 800-462-8800 or go to Contact Progent.