Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that represents an extinction-level threat for organizations vulnerable to an assault. Versions of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and continue to inflict damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as additional unnamed newcomers, not only encrypt on-line files but also infiltrate any configured system protection mechanisms. Information replicated to the cloud can also be corrupted. In a poorly architected environment, this can make any recovery useless and basically knocks the datacenter back to zero.

Recovering programs and information following a ransomware event becomes a race against time as the targeted business tries its best to stop the spread and remove the virus and to resume business-critical activity. Due to the fact that ransomware requires time to replicate, attacks are frequently launched during weekends and nights, when successful penetrations are likely to take longer to notice. This compounds the difficulty of promptly mobilizing and orchestrating an experienced mitigation team.

Progent has an assortment of solutions for securing enterprises from ransomware events. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security gateways with machine learning capabilities from SentinelOne to detect and disable new threats rapidly. Progent also can provide the services of veteran crypto-ransomware recovery engineers with the track record and commitment to restore a compromised network as quickly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to unencrypt all your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the key parts of your Information Technology environment. Without access to complete information backups, this requires a wide complement of skill sets, professional team management, and the capability to work non-stop until the job is finished.

For decades, Progent has made available certified expert Information Technology services for businesses in Florianópolis and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the skills to knowledgably ascertain important systems and organize the surviving pieces of your network environment after a ransomware penetration and configure them into a functioning network.

Progent's ransomware team uses top notch project management applications to coordinate the complicated recovery process. Progent knows the urgency of working rapidly and in unison with a customer's management and IT staff to assign priority to tasks and to get essential services back on-line as soon as possible.

Client Case Study: A Successful Ransomware Virus Recovery
A client engaged Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, possibly using strategies leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with little tolerance for operational disruption and is one of the most profitable incarnations of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk event had brought down all essential operations and manufacturing processes. Most of the client's information backups had been online at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but in the end engaged Progent.


"I can't tell you enough about the help Progent gave us during the most stressful time of (our) company's survival. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent group afforded us. That you were able to get our messaging and important servers back faster than seven days was earth shattering. Each expert I spoke to or texted at Progent was hell bent on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the customer to quickly identify and prioritize the key services that needed to be recovered to make it possible to continue company functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by isolating and disinfecting systems. Progent then started the task of restoring Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without AD, and the customer's MRP system used SQL Server, which depends on Active Directory services for authentication to the databases.

Within 48 hours, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery of critical applications. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Offline Folder Files) on various workstations to recover email information. A not too old off-line backup of the businesses accounting/ERP systems made it possible to restore these vital services back available to users. Although significant work remained to recover totally from the Ryuk event, core services were recovered quickly:


"For the most part, the production operation never missed a beat and we made all customer orders."

Over the next few weeks key milestones in the restoration project were achieved in tight collaboration between Progent engineers and the customer:

  • Internal web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user desktops were back into operation.

"Much of what transpired during the initial response is mostly a fog for me, but I will not forget the urgency each of the team accomplished to help get our business back. I've trusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A potential business catastrophe was dodged with hard-working experts, a broad range of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus attack detailed here would have been shut down with modern cyber security technology solutions and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for data backup and proper patching controls, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thanks very much for letting me get some sleep after we made it over the most critical parts. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Florianópolis a range of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include next-generation AI technology to uncover new strains of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to manage the entire malware attack progression including filtering, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge tools packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also help you to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to create ProSight Data Protection Services, a portfolio of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow non-disruptive backup and rapid recovery of vital files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to deliver centralized control and comprehensive protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter serves as a first line of defense and keeps most threats from reaching your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when problems are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding devices that require critical software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management staff and your Progent consultant so that any potential problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior machine learning technology to defend endpoint devices as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and offers a unified platform to automate the entire malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Help Center services enable your IT group to offload Support Desk services to Progent or split activity for Service Desk support transparently between your in-house support team and Progent's nationwide pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your internal IT support team. User access to the Help Desk, provision of support, escalation, trouble ticket creation and updates, performance metrics, and management of the service database are consistent whether issues are taken care of by your in-house IT support organization, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information system. In addition to optimizing the security and functionality of your computer environment, Progent's patch management services allow your IT staff to concentrate on more strategic initiatives and activities that derive maximum business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo enables one-tap identity verification with Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a protected online account and enter your password you are requested to confirm your identity on a unit that only you have and that is accessed using a different network channel. A wide range of devices can be utilized for this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register several verification devices. To learn more about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time and in-depth management reporting tools designed to work with the industry's top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-Hour Florianópolis Ransomware Remediation Support Services, contact Progent at 800-462-8800 or go to Contact Progent.