Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that presents an extinction-level threat for businesses poorly prepared for an attack. Multiple generations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with frequent unnamed malware, not only do encryption of online information but also infect any accessible system protection. Data synched to cloud environments can also be rendered useless. In a vulnerable data protection solution, this can make automated recovery hopeless and effectively sets the datacenter back to square one.

Restoring services and data following a crypto-ransomware attack becomes a sprint against time as the victim fights to contain the damage and cleanup the virus and to restore business-critical operations. Because crypto-ransomware takes time to spread, assaults are usually launched at night, when successful penetrations tend to take more time to notice. This multiplies the difficulty of quickly mobilizing and orchestrating a capable response team.

Progent offers a variety of support services for protecting enterprises from ransomware penetrations. These include staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security appliances with AI technology from SentinelOne to identify and suppress zero-day threats rapidly. Progent also provides the services of veteran ransomware recovery engineers with the talent and commitment to rebuild a breached environment as urgently as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the keys to decipher all your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the essential components of your Information Technology environment. Absent access to essential system backups, this calls for a broad complement of skill sets, top notch project management, and the willingness to work non-stop until the recovery project is completed.

For twenty years, Progent has provided professional Information Technology services for businesses in Florianópolis and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of expertise provides Progent the capability to quickly identify important systems and consolidate the remaining parts of your computer network environment following a ransomware event and rebuild them into an operational network.

Progent's ransomware group uses state-of-the-art project management applications to orchestrate the complex restoration process. Progent understands the urgency of acting rapidly and in concert with a customer's management and Information Technology staff to assign priority to tasks and to get essential services back on line as soon as humanly possible.

Case Study: A Successful Ransomware Incident Restoration
A business engaged Progent after their network system was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, suspected of using algorithms exposed from the United States National Security Agency. Ryuk attacks specific businesses with little tolerance for operational disruption and is one of the most lucrative examples of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has around 500 employees. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's data backups had been online at the beginning of the attack and were encrypted. The client considered paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot say enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the criminal gangs if not for the confidence the Progent experts provided us. That you could get our e-mail and key applications back online in less than five days was earth shattering. Each expert I talked with or texted at Progent was totally committed on getting us working again and was working breakneck pace to bail us out."

Progent worked together with the client to quickly identify and assign priority to the most important areas that needed to be addressed to make it possible to resume departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then started the steps of rebuilding Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the businesses' financials and MRP system leveraged SQL Server, which needs Active Directory for authentication to the databases.

In less than 48 hours, Progent was able to restore Active Directory to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery of key systems. All Exchange schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to locate intact OST data files (Outlook Email Off-Line Folder Files) on team workstations in order to recover email messages. A recent off-line backup of the businesses accounting systems made it possible to recover these vital programs back available to users. Although a large amount of work was left to recover totally from the Ryuk event, the most important systems were recovered rapidly:


"For the most part, the manufacturing operation showed little impact and we made all customer orders."

Throughout the following month critical milestones in the recovery project were completed in close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Exchange Server containing more than 4 million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user desktops and notebooks were operational.

"So much of what occurred those first few days is mostly a blur for me, but my management will not soon forget the countless hours all of you accomplished to help get our company back. I've entrusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This event was a testament to your capabilities."

Conclusion
A likely business-killing catastrophe was avoided with top-tier experts, a broad array of IT skills, and close collaboration. Although upon completion of forensics the ransomware incident described here would have been identified and blocked with modern cyber security solutions and best practices, user education, and properly executed security procedures for backup and proper patching controls, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for letting me get some sleep after we got past the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Florianópolis a variety of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize next-generation AI technology to uncover new strains of crypto-ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based AV products. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to address the entire threat progression including protection, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you demonstrate compliance with government and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent's consultants can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology providers to create ProSight Data Protection Services (DPS), a family of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and allow non-disruptive backup and rapid restoration of vital files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security companies to deliver centralized control and comprehensive security for all your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of inspection for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, track, enhance and troubleshoot their networking hardware like routers and switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that need critical software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your network operating efficiently by checking the health of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management staff and your Progent engineering consultant so any potential problems can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can save up to half of time spent looking for vital information about your network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior machine learning technology to guard endpoints and servers and VMs against modern malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus products. Progent ASM services protect local and cloud-based resources and provides a single platform to manage the entire malware attack progression including blocking, detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Call Desk services permit your IT team to offload Support Desk services to Progent or split responsibilities for Help Desk services transparently between your internal network support resources and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your core support organization. User access to the Help Desk, provision of support, escalation, ticket creation and updates, efficiency measurement, and maintenance of the support database are cohesive regardless of whether issues are resolved by your internal support resources, by Progent, or both. Find out more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. In addition to maximizing the security and functionality of your IT environment, Progent's patch management services free up time for your in-house IT team to focus on line-of-business projects and tasks that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a protected application and give your password you are requested to verify your identity via a device that only you have and that is accessed using a separate network channel. A wide range of out-of-band devices can be utilized for this added means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. For more information about Duo identity authentication services, visit Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth management reporting tools designed to work with the leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Florianópolis Crypto-Ransomware Repair Experts, contact Progent at 800-462-8800 or go to Contact Progent.