Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that presents an existential threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent unnamed viruses, not only do encryption of on-line data files but also infiltrate any accessible system protection. Files synched to the cloud can also be ransomed. In a poorly architected environment, it can render automatic recovery hopeless and effectively sets the network back to zero.

Getting back online programs and information after a ransomware attack becomes a race against time as the victim struggles to contain and eradicate the ransomware and to restore mission-critical operations. Since ransomware takes time to move laterally, attacks are often sprung during weekends and nights, when attacks in many cases take longer to discover. This compounds the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent provides an assortment of services for securing enterprises from ransomware events. These include user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with machine learning capabilities from SentinelOne to identify and quarantine new threats automatically. Progent also can provide the assistance of veteran ransomware recovery professionals with the talent and commitment to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Recovery Services
Following a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to unencrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the essential components of your Information Technology environment. Without the availability of full information backups, this requires a broad complement of skill sets, well-coordinated project management, and the ability to work 24x7 until the recovery project is completed.

For twenty years, Progent has made available professional IT services for businesses in Florianópolis and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly identify necessary systems and organize the surviving components of your network system after a crypto-ransomware attack and rebuild them into an operational system.

Progent's recovery group uses top notch project management systems to orchestrate the complicated recovery process. Progent knows the urgency of acting quickly and together with a client's management and IT resources to prioritize tasks and to put key systems back on line as fast as humanly possible.

Customer Story: A Successful Ransomware Penetration Restoration
A small business escalated to Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, suspected of using technology leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with little ability to sustain operational disruption and is one of the most lucrative examples of ransomware viruses. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but in the end brought in Progent.


"I cannot speak enough about the expertise Progent gave us throughout the most fearful time of (our) company�s survival. We had little choice but to pay the cybercriminals if it wasn�t for the confidence the Progent experts afforded us. That you were able to get our e-mail and important servers back into operation faster than one week was incredible. Every single expert I talked with or texted at Progent was hell bent on getting us back online and was working at all hours on our behalf."

Progent worked hand in hand the customer to rapidly get our arms around and prioritize the key elements that needed to be recovered to make it possible to restart company operations:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To get going, Progent adhered to ransomware penetration response industry best practices by isolating and performing virus removal steps. Progent then began the steps of bringing back online Windows Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the client's accounting and MRP applications leveraged SQL Server, which needs Active Directory for security authorization to the data.

In less than two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then accomplished setup and hard drive recovery of critical servers. All Exchange data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate local OST files (Outlook Email Off-Line Folder Files) on various PCs and laptops in order to recover mail information. A recent offline backup of the customer�s financials/MRP systems made it possible to restore these vital services back servicing users. Although significant work was left to recover completely from the Ryuk attack, essential systems were recovered quickly:


"For the most part, the production operation survived unscathed and we made all customer sales."

Over the following month critical milestones in the restoration project were completed through close collaboration between Progent engineers and the customer:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Server exceeding four million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory functions were fully recovered.
  • A new Palo Alto 850 security appliance was set up.
  • Most of the user PCs were being used by staff.

"So much of what transpired those first few days is mostly a fog for me, but we will not soon forget the dedication each and every one of you accomplished to give us our business back. I�ve trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was a testament to your capabilities."

Conclusion
A likely enterprise-killing disaster was avoided through the efforts of results-oriented professionals, a broad array of IT skills, and close teamwork. Although in hindsight the crypto-ransomware virus attack detailed here should have been identified and disabled with current cyber security systems and recognized best practices, user and IT administrator training, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thanks very much for making it so I could get some sleep after we made it through the initial fire. All of you did an amazing effort, and if any of your guys is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Florianópolis a variety of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include modern AI technology to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to address the complete malware attack progression including protection, identification, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with government and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and enable non-disruptive backup and fast recovery of critical files/folders, applications, system images, and VMs. ProSight DPS helps your business protect against data loss caused by hardware breakdown, natural calamities, fire, malware like ransomware, human mistakes, malicious employees, or software bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to deliver centralized management and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The cloud filter serves as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further level of inspection for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent’s ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, enhance and debug their networking appliances like switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, locating devices that require important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you’re making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to guard endpoints and physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to automate the complete malware attack progression including protection, infiltration detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Call Center managed services enable your information technology team to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support resources and Progent's extensive pool of IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth supplement to your corporate support team. End user interaction with the Help Desk, provision of support, issue escalation, trouble ticket generation and tracking, performance measurement, and management of the service database are consistent regardless of whether incidents are resolved by your core IT support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of all sizes a flexible and affordable solution for assessing, validating, scheduling, implementing, and tracking updates to your dynamic IT system. Besides maximizing the security and functionality of your computer network, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business initiatives and activities that derive the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo enables one-tap identity verification with iOS, Android, and other personal devices. With 2FA, when you log into a secured application and give your password you are requested to verify who you are on a unit that only you possess and that uses a different network channel. A broad range of out-of-band devices can be utilized as this second means of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register multiple validation devices. To learn more about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services.
For 24-Hour Florianópolis Crypto Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.