Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become an escalating cyberplague that poses an enterprise-level danger for businesses poorly prepared for an attack. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and still inflict harm. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with daily unnamed newcomers, not only do encryption of on-line data but also infect any available system backups. Files synchronized to the cloud can also be corrupted. In a poorly designed system, this can make any recovery useless and basically sets the entire system back to zero.

Getting back on-line programs and data after a ransomware attack becomes a race against time as the targeted business struggles to stop lateral movement and cleanup the ransomware and to resume enterprise-critical operations. Since crypto-ransomware takes time to spread, penetrations are frequently launched on weekends, when attacks tend to take more time to detect. This compounds the difficulty of promptly mobilizing and coordinating a qualified mitigation team.

Progent has a range of solutions for securing businesses from ransomware events. Among these are team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning capabilities to automatically detect and disable new cyber threats. Progent also can provide the assistance of experienced ransomware recovery engineers with the talent and commitment to reconstruct a compromised system as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that cyber hackers will provide the keys to decrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the mission-critical components of your IT environment. Without access to complete information backups, this calls for a wide range of skills, top notch project management, and the willingness to work continuously until the task is completed.

For decades, Progent has offered certified expert IT services for companies in Cabo Frio and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise gives Progent the ability to quickly identify important systems and integrate the surviving components of your IT system after a crypto-ransomware attack and configure them into a functioning network.

Progent's security team of experts has state-of-the-art project management applications to coordinate the complicated recovery process. Progent knows the importance of acting rapidly and in concert with a client's management and IT staff to prioritize tasks and to put the most important services back online as fast as humanly possible.

Customer Case Study: A Successful Ransomware Incident Recovery
A client engaged Progent after their company was taken over by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored hackers, suspected of using techniques leaked from the United States National Security Agency. Ryuk attacks specific companies with limited tolerance for disruption and is one of the most lucrative examples of crypto-ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk penetration had disabled all company operations and manufacturing processes. Most of the client's backups had been online at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and hoping for the best, but ultimately called Progent.


"I cannot thank you enough in regards to the help Progent provided us during the most critical period of (our) businesses life. We would have paid the hackers behind this attack except for the confidence the Progent team afforded us. That you were able to get our e-mail and essential applications back into operation quicker than 1 week was amazing. Each consultant I talked with or e-mailed at Progent was laser focused on getting our system up and was working at all hours on our behalf."

Progent worked together with the client to quickly get our arms around and assign priority to the mission critical applications that had to be addressed to make it possible to resume business operations:

  • Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent followed Anti-virus event response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the steps of bringing back online Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not operate without AD, and the client's accounting and MRP system leveraged Microsoft SQL, which needs Active Directory for access to the data.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of essential applications. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Offline Folder Files) on various desktop computers to recover mail information. A not too old offline backup of the businesses financials/ERP software made them able to return these vital services back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, core systems were returned to operations quickly:


"For the most part, the manufacturing operation showed little impact and we produced all customer shipments."

Over the following month critical milestones in the restoration project were completed in tight collaboration between Progent consultants and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were fully restored.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the desktops and laptops were functioning as before the incident.

"A lot of what happened those first few days is mostly a blur for me, but my management will not forget the dedication all of your team put in to give us our company back. Iíve been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A potential company-ending disaster was evaded by hard-working experts, a wide spectrum of knowledge, and tight teamwork. Although in retrospect the ransomware virus incident detailed here would have been stopped with up-to-date cyber security technology and ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get some sleep after we made it past the first week. Everyone did an incredible job, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Cabo Frio a range of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI capability to detect zero-day strains of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to manage the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology providers to create ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and enable transparent backup and fast restoration of vital files, apps, images, plus VMs. ProSight DPS lets your business recover from data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user mistakes, malicious insiders, or software bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver centralized management and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway device adds a deeper level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating complex network management activities, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding appliances that require critical updates, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT management personnel and your Progent consultant so that all potential problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis technology to defend endpoints as well as physical and virtual servers against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. Progent ASM services protect on-premises and cloud-based resources and provides a unified platform to manage the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Call Center managed services enable your IT group to offload Call Center services to Progent or split activity for Service Desk support transparently between your internal support staff and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth extension of your internal support staff. User access to the Help Desk, delivery of support, escalation, ticket creation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether incidents are taken care of by your in-house IT support group, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. Besides optimizing the protection and reliability of your computer network, Progent's software/firmware update management services permit your IT team to focus on line-of-business projects and tasks that derive maximum business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo enables single-tap identity confirmation with iOS, Google Android, and other personal devices. Using 2FA, when you sign into a secured application and enter your password you are asked to confirm who you are on a device that only you possess and that uses a different network channel. A broad selection of devices can be used for this second means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate several verification devices. To learn more about Duo identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
For Cabo Frio 24x7x365 Crypto-Ransomware Repair Consulting, contact Progent at 800-462-8800 or go to Contact Progent.