Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that poses an extinction-level danger for businesses unprepared for an attack. Multiple generations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause destruction. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with daily as yet unnamed viruses, not only do encryption of online data but also infiltrate many configured system backup. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can make automatic recovery hopeless and effectively knocks the network back to square one.

Getting back online services and data after a crypto-ransomware event becomes a race against the clock as the targeted organization tries its best to stop lateral movement and cleanup the crypto-ransomware and to resume mission-critical activity. Because crypto-ransomware takes time to replicate, penetrations are frequently launched at night, when attacks typically take longer to identify. This multiplies the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.

Progent offers a variety of solutions for protecting organizations from ransomware penetrations. These include team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to identify and suppress zero-day cyber threats intelligently. Progent in addition provides the services of experienced ransomware recovery engineers with the talent and commitment to rebuild a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decipher all your information. Kaspersky estimated that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to setup from scratch the mission-critical components of your IT environment. Absent access to complete information backups, this requires a wide range of skill sets, top notch team management, and the willingness to work continuously until the job is finished.

For decades, Progent has offered certified expert IT services for businesses in Campinas and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise affords Progent the skills to quickly determine critical systems and consolidate the surviving parts of your network system following a ransomware attack and configure them into an operational network.

Progent's security team has best of breed project management tools to coordinate the complex restoration process. Progent understands the urgency of acting swiftly and in concert with a customer's management and IT resources to prioritize tasks and to put the most important systems back on line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer engaged Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, suspected of using algorithms exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and hoping for the best, but ultimately reached out to Progent.


"I can't thank you enough about the care Progent provided us throughout the most fearful period of (our) company's life. We had little choice but to pay the Hackers except for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and critical servers back faster than one week was beyond my wildest dreams. Each person I got help from or messaged at Progent was amazingly focused on getting us back online and was working all day and night to bail us out."

Progent worked hand in hand the customer to rapidly assess and assign priority to the essential areas that needed to be addressed to make it possible to continue business operations:

  • Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent followed ransomware incident response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the process of rebuilding Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the businesses' accounting and MRP applications leveraged Microsoft SQL, which depends on Windows AD for authentication to the data.

Within two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of key servers. All Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Offline Folder Files) on staff desktop computers in order to recover mail messages. A recent offline backup of the client's accounting/MRP systems made them able to return these vital programs back servicing users. Although a large amount of work remained to recover totally from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the assembly line operation did not miss a beat and we delivered all customer shipments."

During the next few weeks important milestones in the recovery process were achieved in close cooperation between Progent team members and the client:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than four million historical emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were 100% restored.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the desktops and laptops were being used by staff.

"A huge amount of what transpired those first few days is mostly a blur for me, but I will not forget the care each of the team accomplished to give us our company back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A possible business-killing catastrophe was evaded through the efforts of dedicated professionals, a wide range of knowledge, and close teamwork. Although in hindsight the ransomware virus incident described here would have been blocked with current security technology solutions and best practices, user and IT administrator training, and well thought out security procedures for data backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for letting me get some sleep after we made it over the initial push. All of you did an amazing effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Campinas a range of remote monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to address the entire threat lifecycle including protection, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your company's unique requirements and that allows you prove compliance with government and industry information security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and allow transparent backup and fast restoration of critical files, applications, images, and virtual machines. ProSight DPS helps you recover from data loss caused by hardware failures, natural disasters, fire, cyber attacks such as ransomware, user error, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to deliver centralized management and world-class protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper level of analysis for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, reconfigure and debug their networking appliances such as routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT management staff and your Progent consultant so any potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based analysis technology to guard endpoints as well as physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based AV tools. Progent ASM services protect local and cloud resources and provides a unified platform to automate the complete malware attack progression including filtering, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Desk: Call Center Managed Services
    Progent's Support Desk managed services permit your information technology group to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support staff and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your in-house network support organization. User access to the Service Desk, delivery of technical assistance, problem escalation, trouble ticket generation and updates, efficiency metrics, and management of the service database are cohesive regardless of whether issues are taken care of by your core network support organization, by Progent, or by a combination. Find out more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, applying, and documenting updates to your dynamic IT network. In addition to optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic projects and activities that deliver maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Android, and other personal devices. Using Duo 2FA, when you log into a protected application and enter your password you are asked to verify your identity via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be used as this added form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register several verification devices. To learn more about ProSight Duo identity authentication services, see Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of in-depth reporting plug-ins created to work with the industry's top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Campinas CryptoLocker Remediation Consultants, contact Progent at 800-462-8800 or go to Contact Progent.