Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes unprepared for an assault. Different versions of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause damage. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as frequent as yet unnamed viruses, not only do encryption of online information but also infect any configured system restores and backups. Files synched to cloud environments can also be ransomed. In a poorly architected system, it can make automated restore operations impossible and basically knocks the datacenter back to zero.

Retrieving applications and information after a ransomware attack becomes a sprint against time as the victim fights to stop lateral movement and cleanup the crypto-ransomware and to resume mission-critical activity. Since crypto-ransomware takes time to move laterally, penetrations are usually launched on weekends, when attacks tend to take more time to discover. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.

Progent has a range of support services for securing organizations from crypto-ransomware penetrations. Among these are user education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to discover and disable zero-day cyber threats rapidly. Progent also can provide the assistance of seasoned ransomware recovery professionals with the track record and perseverance to restore a compromised network as rapidly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the codes to unencrypt any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the essential elements of your IT environment. Without access to essential system backups, this requires a broad range of IT skills, professional team management, and the willingness to work non-stop until the recovery project is done.

For two decades, Progent has made available expert IT services for companies in Cabo Frio and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience provides Progent the ability to rapidly ascertain necessary systems and integrate the remaining parts of your computer network environment following a crypto-ransomware penetration and configure them into a functioning network.

Progent's security team of experts deploys state-of-the-art project management tools to coordinate the complicated restoration process. Progent understands the urgency of acting swiftly and in unison with a customer�s management and Information Technology staff to prioritize tasks and to get critical services back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A small business escalated to Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, possibly using approaches exposed from the United States NSA organization. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most lucrative iterations of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago with around 500 workers. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I cannot speak enough in regards to the expertise Progent gave us throughout the most stressful period of (our) company�s existence. We most likely would have paid the hackers behind this attack except for the confidence the Progent experts afforded us. That you were able to get our messaging and critical applications back into operation sooner than 1 week was incredible. Every single staff member I worked with or communicated with at Progent was totally committed on getting us working again and was working 24/7 on our behalf."

Progent worked with the customer to quickly identify and assign priority to the most important areas that had to be restored to make it possible to restart company operations:

  • Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent followed ransomware penetration response industry best practices by isolating and disinfecting systems. Progent then initiated the task of restoring Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the client's MRP system leveraged Microsoft SQL, which needs Active Directory for access to the data.

Within 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then charged ahead with reinstallations and hard drive recovery of critical applications. All Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Data Files) on staff PCs to recover email data. A not too old off-line backup of the client's financials/ERP software made them able to return these vital services back online for users. Although major work was left to recover totally from the Ryuk event, the most important systems were returned to operations quickly:


"For the most part, the production manufacturing operation was never shut down and we made all customer orders."

During the following month key milestones in the restoration project were made in tight collaboration between Progent consultants and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Exchange Server exceeding 4 million historical messages was spun up and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were completely functional.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the user PCs were functioning as before the incident.

"A huge amount of what transpired those first few days is mostly a haze for me, but my management will not forget the commitment each of the team put in to give us our business back. I�ve been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This event was a Herculean accomplishment."

Conclusion
A likely business catastrophe was dodged by dedicated experts, a broad spectrum of knowledge, and close collaboration. Although upon completion of forensics the ransomware virus incident detailed here could have been identified and prevented with modern cyber security solutions and recognized best practices, user training, and well thought out incident response procedures for data protection and applying software patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thanks very much for letting me get some sleep after we made it past the first week. All of you did an incredible job, and if anyone is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Cabo Frio a range of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include next-generation machine learning capability to detect zero-day strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily get by traditional signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the complete malware attack lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that allows you prove compliance with government and industry information security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require immediate action. Progent can also help your company to install and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and track your data backup operations and enable transparent backup and fast restoration of critical files, apps, system images, plus virtual machines. ProSight DPS helps your business avoid data loss caused by equipment failures, natural calamities, fire, malware like ransomware, human mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security companies to provide centralized control and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of inspection for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, track, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, finding devices that need important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior machine learning technology to guard endpoints and servers and VMs against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to address the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Support Desk managed services enable your IT staff to outsource Call Center services to Progent or split responsibilities for support services transparently between your internal network support team and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a transparent supplement to your in-house support organization. User interaction with the Service Desk, delivery of support, issue escalation, ticket creation and updates, efficiency metrics, and management of the service database are cohesive whether incidents are resolved by your core network support staff, by Progent, or both. Learn more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective alternative for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. Besides maximizing the protection and reliability of your IT environment, Progent's patch management services permit your IT team to focus on more strategic initiatives and tasks that derive maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using 2FA, when you log into a protected application and enter your password you are requested to confirm who you are via a unit that only you have and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized as this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can designate several validation devices. To learn more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 Cabo Frio Crypto Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.