Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that poses an extinction-level threat for organizations unprepared for an attack. Multiple generations of crypto-ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as daily as yet unnamed newcomers, not only encrypt online data files but also infect many configured system backups. Data synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, it can render automatic restoration impossible and effectively knocks the entire system back to zero.

Retrieving services and data after a ransomware intrusion becomes a race against time as the victim struggles to stop the spread, remove the crypto-ransomware, and resume mission-critical activity. Since ransomware takes time to move laterally, assaults are frequently sprung on weekends, when successful penetrations in many cases take longer to detect. This compounds the difficulty of rapidly marshalling and organizing a knowledgeable mitigation team.

Progent offers an assortment of solutions for protecting enterprises from ransomware events. Among these are team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with artificial intelligence technology from SentinelOne to identify and suppress zero-day threats quickly. Progent in addition can provide the assistance of expert ransomware recovery professionals with the track record and perseverance to re-deploy a breached environment as quickly as possible.

Progent's Ransomware Recovery Services
Following a ransomware attack, paying the ransom in cryptocurrency does not guarantee that merciless criminals will return the codes to unencrypt any or all of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The other path is to piece back together the critical elements of your Information Technology environment. Absent access to full system backups, this requires a wide range of IT skills, top notch project management, and the capability to work non-stop until the job is finished.

For two decades, Progent has provided certified expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the ability to knowledgably identify critical systems and integrate the remaining pieces of your computer network system after a crypto-ransomware attack and assemble them into a functioning network.

Progent's recovery group uses best of breed project management systems to orchestrate the complicated restoration process. Progent understands the importance of acting quickly and together with a client's management and IT team members to assign priority to tasks and to put essential applications back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Restoration
A client sought out Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored cybercriminals, possibly adopting strategies leaked from America's National Security Agency. Ryuk targets specific organizations with limited tolerance for disruption and is among the most profitable iterations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has around 500 workers. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but ultimately utilized Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most critical period of (our) businesses life. We most likely would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent group provided us. That you were able to get our messaging and critical applications back quicker than seven days was something I thought impossible. Every single consultant I worked with or messaged at Progent was absolutely committed on getting us restored and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly determine and prioritize the most important applications that needed to be recovered to make it possible to resume business functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping lateral movement and clearing infected systems. Progent then started the process of restoring Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businesses' accounting and MRP software used Microsoft SQL, which depends on Windows AD for access to the data.

Within 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery of needed applications. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Outlook Off-Line Folder Files) on staff workstations and laptops in order to recover mail data. A recent offline backup of the client's accounting/MRP systems made them able to recover these required applications back servicing users. Although significant work needed to be completed to recover completely from the Ryuk virus, essential systems were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."

During the next month important milestones in the restoration project were made in tight collaboration between Progent consultants and the customer:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the desktops and laptops were back into operation.

"So much of what occurred those first few days is mostly a haze for me, but my management will not forget the care each and every one of the team accomplished to help get our business back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible company-ending disaster was evaded through the efforts of results-oriented experts, a wide array of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware attack detailed here would have been prevented with modern security technology solutions and NIST Cybersecurity Framework best practices, team education, and well designed security procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we made it over the initial fire. Everyone did an amazing effort, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Barra da Tijuca a portfolio of online monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services include next-generation AI technology to uncover new strains of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the entire threat progression including blocking, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup software providers to produce ProSight Data Protection Services, a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and allow transparent backup and rapid recovery of vital files, apps, images, and VMs. ProSight DPS lets you protect against data loss caused by hardware failures, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based control and comprehensive protection for your inbound and outbound email. The hybrid structure of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, reconfigure and debug their networking appliances such as switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating appliances that require important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT personnel and your Progent consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether you're making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior analysis technology to defend endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching AV tools. Progent ASM services protect local and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Call Center managed services enable your information technology group to offload Call Center services to Progent or split activity for support services transparently between your in-house support staff and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your in-house IT support staff. Client interaction with the Help Desk, delivery of support, problem escalation, ticket generation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether incidents are taken care of by your core network support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a flexible and cost-effective solution for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving IT network. Besides optimizing the protection and functionality of your IT network, Progent's patch management services free up time for your in-house IT team to focus on more strategic initiatives and activities that deliver maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a secured application and enter your password you are asked to verify who you are via a device that only you have and that uses a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized as this second form of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. To learn more about Duo identity authentication services, visit Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time and in-depth reporting plug-ins created to work with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Barra da Tijuca Crypto Remediation Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.