Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Multiple generations of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as additional as yet unnamed malware, not only do encryption of on-line data files but also infiltrate any accessible system protection. Files synchronized to the cloud can also be ransomed. In a poorly designed environment, it can make automated restore operations hopeless and effectively knocks the network back to zero.

Getting back services and information following a crypto-ransomware attack becomes a race against time as the targeted business struggles to contain and cleanup the virus and to restore mission-critical operations. Due to the fact that crypto-ransomware requires time to move laterally, assaults are frequently sprung on weekends, when attacks tend to take more time to uncover. This multiplies the difficulty of rapidly assembling and coordinating an experienced mitigation team.

Progent has an assortment of solutions for securing enterprises from ransomware events. Among these are team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with AI technology from SentinelOne to identify and suppress zero-day threats automatically. Progent also provides the services of expert ransomware recovery consultants with the talent and perseverance to rebuild a breached network as urgently as possible.

Progent's Ransomware Recovery Services
After a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the codes to decrypt all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the key parts of your Information Technology environment. Without access to complete information backups, this requires a broad complement of skills, well-coordinated project management, and the willingness to work non-stop until the recovery project is completed.

For decades, Progent has offered expert IT services for companies in Barra da Tijuca and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience provides Progent the skills to knowledgably identify important systems and re-organize the surviving components of your Information Technology system following a crypto-ransomware event and rebuild them into an operational system.

Progent's recovery group has top notch project management applications to coordinate the complex recovery process. Progent knows the importance of working swiftly and in concert with a customer's management and Information Technology resources to prioritize tasks and to get essential services back on line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer engaged Progent after their company was brought down by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored hackers, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk goes after specific companies with limited ability to sustain operational disruption and is one of the most profitable examples of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with about 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client considered paying the ransom demand (more than $200K) and praying for the best, but ultimately called Progent.


"I can't thank you enough in regards to the care Progent gave us throughout the most critical time of (our) company's existence. We may have had to pay the Hackers if it wasn't for the confidence the Progent team afforded us. The fact that you could get our messaging and critical applications back on-line sooner than five days was earth shattering. Every single person I talked with or e-mailed at Progent was totally committed on getting my company operational and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly assess and prioritize the critical areas that had to be restored in order to restart departmental operations:

  • Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent followed Anti-virus event response industry best practices by stopping lateral movement and disinfecting systems. Progent then began the process of recovering Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the customer's MRP applications utilized Microsoft SQL, which needs Active Directory services for security authorization to the database.

Within 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery of the most important applications. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Offline Folder Files) on team desktop computers to recover email data. A not too old off-line backup of the customer's accounting systems made them able to restore these required applications back online. Although significant work was left to recover fully from the Ryuk virus, core systems were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer shipments."

Throughout the following couple of weeks important milestones in the restoration project were made through close collaboration between Progent team members and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Server exceeding 4 million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was set up.
  • Nearly all of the user desktops were functioning as before the incident.

"A huge amount of what occurred in the initial days is mostly a fog for me, but our team will not soon forget the countless hours each and every one of the team put in to give us our business back. I have been working with Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business disaster was evaded through the efforts of results-oriented professionals, a wide array of IT skills, and close collaboration. Although in retrospect the ransomware attack detailed here would have been stopped with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), thanks very much for allowing me to get rested after we made it through the first week. Everyone did an impressive job, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Barra da Tijuca a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services utilize modern artificial intelligence capability to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to automate the entire threat progression including filtering, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup processes and allow non-disruptive backup and fast restoration of critical files, apps, images, and VMs. ProSight DPS lets you protect against data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to provide web-based management and comprehensive protection for your email traffic. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating tedious management activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding devices that require critical updates, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT management personnel and your Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning tools to defend endpoint devices and servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. Progent ASM services protect on-premises and cloud resources and provides a unified platform to manage the complete threat lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Center: Call Center Managed Services
    Progent's Support Center services enable your information technology team to offload Help Desk services to Progent or split activity for Help Desk services seamlessly between your internal support resources and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your in-house network support staff. Client interaction with the Help Desk, provision of technical assistance, issue escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are consistent whether incidents are taken care of by your internal IT support group, by Progent's team, or by a combination. Find out more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information network. In addition to optimizing the protection and reliability of your IT network, Progent's patch management services permit your IT staff to concentrate on more strategic initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured online account and give your password you are asked to confirm who you are on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized for this added form of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You can register several verification devices. To find out more about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time management reporting utilities created to integrate with the top ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Barra da Tijuca 24x7x365 Crypto Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.