Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses vulnerable to an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to cause damage. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with more as yet unnamed newcomers, not only encrypt online critical data but also infiltrate most available system protection. Data replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, this can render any restore operations impossible and basically knocks the network back to zero.

Restoring applications and data following a ransomware intrusion becomes a race against time as the victim fights to stop lateral movement and eradicate the crypto-ransomware and to restore enterprise-critical activity. Since crypto-ransomware requires time to replicate, penetrations are often sprung at night, when penetrations tend to take more time to recognize. This compounds the difficulty of promptly marshalling and orchestrating a capable mitigation team.

Progent has a variety of services for securing enterprises from ransomware attacks. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security solutions with AI technology from SentinelOne to detect and quarantine zero-day cyber threats rapidly. Progent in addition can provide the assistance of veteran ransomware recovery professionals with the skills and perseverance to restore a breached system as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will provide the codes to unencrypt any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the mission-critical parts of your Information Technology environment. Without the availability of complete system backups, this calls for a wide range of skills, well-coordinated project management, and the capability to work non-stop until the job is complete.

For two decades, Progent has provided certified expert Information Technology services for companies in Florianópolis and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise gives Progent the ability to quickly understand important systems and integrate the remaining components of your computer network environment after a ransomware event and assemble them into a functioning system.

Progent's security team deploys state-of-the-art project management tools to orchestrate the sophisticated restoration process. Progent knows the importance of working swiftly and in unison with a client's management and Information Technology staff to prioritize tasks and to put essential services back online as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Attack Restoration
A business sought out Progent after their company was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored hackers, suspected of using technology leaked from America's National Security Agency. Ryuk attacks specific businesses with little tolerance for operational disruption and is among the most lucrative instances of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client considered paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately brought in Progent.


"I cannot speak enough about the care Progent gave us during the most fearful period of (our) company's survival. We had little choice but to pay the cyber criminals if it wasn't for the confidence the Progent experts provided us. That you could get our messaging and critical applications back on-line sooner than one week was beyond my wildest dreams. Every single expert I talked with or messaged at Progent was hell bent on getting us working again and was working all day and night to bail us out."

Progent worked hand in hand the client to quickly understand and prioritize the critical services that had to be addressed in order to continue departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting/MRP
To get going, Progent followed ransomware incident response industry best practices by halting the spread and clearing infected systems. Progent then initiated the work of restoring Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the client's accounting and MRP applications used Microsoft SQL Server, which requires Active Directory services for access to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of critical applications. All Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on staff PCs to recover mail messages. A not too old off-line backup of the businesses financials/ERP software made them able to recover these required programs back on-line. Although a large amount of work remained to recover totally from the Ryuk event, essential systems were restored rapidly:


"For the most part, the production line operation did not miss a beat and we did not miss any customer shipments."

During the following few weeks key milestones in the restoration process were made in close collaboration between Progent engineers and the client:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were 100% operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Most of the desktops and laptops were operational.

"A huge amount of what was accomplished in the initial days is mostly a fog for me, but my management will not soon forget the urgency each of the team put in to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A likely business extinction catastrophe was averted with results-oriented professionals, a wide array of subject matter expertise, and close collaboration. Although in hindsight the ransomware penetration detailed here could have been disabled with current security technology and NIST Cybersecurity Framework best practices, team training, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thanks very much for letting me get some sleep after we got over the initial push. All of you did an impressive job, and if anyone is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Florianópolis a variety of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI capability to detect new strains of crypto-ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and provides a single platform to automate the entire threat progression including blocking, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your company's specific needs and that helps you prove compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent can also help your company to install and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup technology companies to create ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and enable transparent backup and rapid restoration of critical files/folders, applications, system images, plus VMs. ProSight DPS lets you protect against data loss caused by hardware failures, natural disasters, fire, malware like ransomware, user mistakes, malicious employees, or application bugs. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to provide centralized control and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map out, track, reconfigure and troubleshoot their connectivity hardware like switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that require critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT management staff and your assigned Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether you're planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior machine learning tools to guard endpoint devices as well as physical and virtual servers against new malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based AV products. Progent ASM services protect on-premises and cloud-based resources and offers a single platform to automate the entire threat progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Desk: Support Desk Managed Services
    Progent's Support Desk managed services enable your information technology team to outsource Help Desk services to Progent or split responsibilities for support services transparently between your internal network support group and Progent's extensive pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless supplement to your core support staff. End user access to the Service Desk, delivery of support, escalation, trouble ticket generation and updates, performance measurement, and maintenance of the service database are cohesive regardless of whether issues are taken care of by your in-house network support staff, by Progent, or by a combination. Find out more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT system. Besides optimizing the security and reliability of your IT environment, Progent's patch management services permit your in-house IT staff to focus on line-of-business projects and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are asked to verify who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be used for this added means of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. For details about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time and in-depth reporting plug-ins created to work with the industry's leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Florianópolis 24x7x365 Crypto-Ransomware Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.