Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for organizations vulnerable to an attack. Multiple generations of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as frequent unnamed newcomers, not only do encryption of on-line data files but also infect many accessible system protection. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can render automated restore operations useless and effectively knocks the datacenter back to zero.

Recovering applications and information after a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to resume enterprise-critical activity. Since crypto-ransomware requires time to replicate, assaults are often launched during nights and weekends, when successful attacks typically take more time to uncover. This multiplies the difficulty of quickly assembling and organizing a knowledgeable response team.

Progent offers a variety of services for protecting enterprises from ransomware events. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence technology to quickly identify and suppress zero-day cyber threats. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the track record and commitment to re-deploy a breached environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will return the keys to decipher any or all of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the vital parts of your IT environment. Absent the availability of complete information backups, this calls for a wide range of skill sets, professional project management, and the willingness to work non-stop until the task is finished.

For decades, Progent has made available professional IT services for companies in Cabo Frio and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to quickly ascertain important systems and re-organize the remaining parts of your computer network system after a ransomware attack and configure them into a functioning system.

Progent's security group deploys state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to put critical applications back online as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A client sought out Progent after their network was attacked by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk seeks specific businesses with little tolerance for disruption and is among the most lucrative incarnations of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had shut down all company operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot thank you enough in regards to the expertise Progent gave us during the most stressful period of (our) businesses survival. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent experts provided us. That you could get our e-mail and essential servers back quicker than five days was earth shattering. Every single expert I worked with or messaged at Progent was totally committed on getting my company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to quickly determine and assign priority to the key elements that needed to be addressed to make it possible to restart company operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes event response industry best practices by isolating and cleaning up infected systems. Progent then started the process of rebuilding Microsoft Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange messaging will not work without AD, and the customerís financials and MRP software utilized SQL Server, which needs Active Directory for access to the data.

In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then accomplished reinstallations and storage recovery of critical systems. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Data Files) on user PCs in order to recover email messages. A not too old offline backup of the client's financials/ERP systems made them able to recover these required programs back available to users. Although a lot of work was left to recover completely from the Ryuk attack, essential services were recovered rapidly:


"For the most part, the assembly line operation showed little impact and we did not miss any customer sales."

During the next couple of weeks important milestones in the recovery process were achieved through tight collaboration between Progent consultants and the client:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 security appliance was installed.
  • Most of the desktop computers were fully operational.

"A lot of what transpired in the early hours is nearly entirely a fog for me, but I will not forget the urgency each of you put in to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible company-ending disaster was dodged with dedicated experts, a wide range of knowledge, and close collaboration. Although in retrospect the ransomware virus penetration described here would have been blocked with current security systems and NIST Cybersecurity Framework best practices, team education, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get rested after we got over the most critical parts. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Cabo Frio a range of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence technology to detect new variants of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight ASM safeguards local and cloud resources and offers a single platform to automate the entire malware attack progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your company's unique needs and that helps you prove compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates and monitors your backup processes and enables rapid recovery of vital data, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical information. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to provide centralized control and world-class protection for all your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, track, optimize and debug their connectivity appliances like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when issues are detected. By automating complex network management activities, WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding appliances that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system operating at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT management staff and your Progent consultant so that all looming issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save as much as half of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Cabo Frio 24/7/365 CryptoLocker Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.