Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses poorly prepared for an assault. Different versions of crypto-ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to cause harm. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus frequent unnamed malware, not only do encryption of online files but also infiltrate all accessible system protection mechanisms. Files synched to cloud environments can also be ransomed. In a poorly architected data protection solution, this can make automatic restore operations hopeless and effectively sets the network back to zero.

Recovering applications and data after a crypto-ransomware outage becomes a sprint against the clock as the victim tries its best to contain and remove the virus and to resume mission-critical operations. Due to the fact that ransomware takes time to replicate, attacks are usually launched during nights and weekends, when successful attacks typically take longer to recognize. This compounds the difficulty of promptly assembling and orchestrating a qualified mitigation team.

Progent makes available an assortment of solutions for protecting organizations from ransomware attacks. Among these are user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with machine learning capabilities from SentinelOne to identify and quarantine new cyber threats intelligently. Progent also provides the services of veteran ransomware recovery professionals with the talent and commitment to re-deploy a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed codes to decipher any or all of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to setup from scratch the vital components of your Information Technology environment. Without access to full data backups, this requires a broad complement of skills, well-coordinated project management, and the capability to work non-stop until the job is complete.

For decades, Progent has made available expert Information Technology services for companies in Campinas and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience affords Progent the skills to rapidly understand important systems and integrate the surviving parts of your Information Technology system following a crypto-ransomware event and configure them into an operational system.

Progent's recovery group uses top notch project management applications to orchestrate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and in concert with a customer's management and IT team members to assign priority to tasks and to put the most important services back on-line as soon as possible.

Case Study: A Successful Crypto-Ransomware Attack Response
A small business escalated to Progent after their network system was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored criminal gangs, suspected of using technology leaked from the U.S. NSA organization. Ryuk targets specific businesses with little or no tolerance for disruption and is one of the most lucrative versions of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with around 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200,000) and hoping for the best, but ultimately engaged Progent.


"I can't thank you enough in regards to the expertise Progent provided us during the most fearful period of (our) company's existence. We would have paid the Hackers if it wasn't for the confidence the Progent team gave us. The fact that you were able to get our e-mail and essential applications back online sooner than seven days was amazing. Every single expert I interacted with or communicated with at Progent was laser focused on getting us restored and was working at all hours on our behalf."

Progent worked hand in hand the customer to rapidly assess and prioritize the key applications that needed to be addressed in order to restart departmental operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting/MRP
To begin, Progent adhered to ransomware incident response industry best practices by stopping the spread and clearing infected systems. Progent then started the process of restoring Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Active Directory, and the client's MRP software utilized Microsoft SQL, which needs Active Directory for security authorization to the database.

In less than 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then helped perform setup and hard drive recovery on mission critical servers. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Folder Files) on various workstations to recover email data. A recent off-line backup of the businesses accounting/ERP systems made it possible to restore these vital programs back online for users. Although major work remained to recover fully from the Ryuk virus, core services were restored quickly:


"For the most part, the production line operation never missed a beat and we delivered all customer shipments."

During the next couple of weeks critical milestones in the restoration process were made through tight collaboration between Progent consultants and the client:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than four million archived emails was brought on-line and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100% recovered.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the desktops and laptops were fully operational.

"A lot of what went on in the initial days is mostly a blur for me, but my management will not soon forget the care all of you accomplished to help get our company back. I've been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A likely business-ending catastrophe was averted due to dedicated experts, a broad array of technical expertise, and tight teamwork. Although in post mortem the ransomware incident described here should have been stopped with current cyber security technology and recognized best practices, staff training, and well thought out incident response procedures for backup and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has proven experience in ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for making it so I could get rested after we got over the initial push. All of you did an amazing job, and if anyone that helped is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Campinas a variety of remote monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services utilize next-generation AI capability to uncover zero-day variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including filtering, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry data security regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup software providers to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable transparent backup and rapid recovery of vital files, apps, images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or software glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to provide web-based management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of inspection for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, monitor, reconfigure and debug their connectivity appliances such as switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that need critical software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your Progent consultant so any potential problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hosting environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard data about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to guard endpoint devices and servers and VMs against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Support Desk services permit your IT team to outsource Support Desk services to Progent or divide activity for support services transparently between your internal support staff and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent supplement to your core IT support resources. End user interaction with the Help Desk, delivery of technical assistance, problem escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are cohesive whether incidents are resolved by your core support group, by Progent, or both. Read more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide businesses of all sizes a flexible and affordable alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. In addition to optimizing the security and reliability of your IT environment, Progent's patch management services permit your in-house IT team to concentrate on more strategic initiatives and tasks that deliver maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity verification with iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a protected application and give your password you are requested to verify your identity via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized as this added form of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You can designate several verification devices. To learn more about ProSight Duo identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24-Hour Campinas CryptoLocker Cleanup Consulting, call Progent at 800-462-8800 or go to Contact Progent.