Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that represents an enterprise-level danger for organizations unprepared for an assault. Multiple generations of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict destruction. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as daily as yet unnamed newcomers, not only encrypt on-line data but also infiltrate most available system protection. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make automated recovery impossible and effectively sets the datacenter back to square one.

Getting back programs and information following a ransomware outage becomes a race against time as the victim fights to contain the damage and eradicate the virus and to restore mission-critical operations. Due to the fact that ransomware takes time to spread, attacks are often launched during weekends and nights, when successful penetrations typically take longer to discover. This multiplies the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.

Progent makes available an assortment of services for securing organizations from ransomware penetrations. These include team member education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security appliances with AI capabilities from SentinelOne to identify and disable new cyber attacks rapidly. Progent in addition provides the assistance of veteran crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Following a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decipher all your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the key parts of your IT environment. Absent access to essential information backups, this calls for a broad range of skill sets, well-coordinated team management, and the willingness to work 24x7 until the job is finished.

For two decades, Progent has offered certified expert IT services for companies in Barra da Tijuca and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience provides Progent the ability to efficiently ascertain critical systems and integrate the surviving components of your Information Technology system after a ransomware attack and rebuild them into an operational system.

Progent's ransomware group deploys top notch project management applications to coordinate the complicated recovery process. Progent understands the importance of acting swiftly and together with a customer�s management and Information Technology team members to assign priority to tasks and to get the most important services back online as soon as possible.

Customer Story: A Successful Ransomware Incident Response
A small business escalated to Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly adopting techniques exposed from the United States National Security Agency. Ryuk seeks specific companies with little or no tolerance for disruption and is among the most profitable incarnations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with around 500 employees. The Ryuk event had paralyzed all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and praying for good luck, but in the end brought in Progent.


"I can�t speak enough about the help Progent gave us during the most stressful time of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent group afforded us. The fact that you were able to get our messaging and production servers back into operation quicker than five days was beyond my wildest dreams. Each consultant I interacted with or communicated with at Progent was urgently focused on getting us back on-line and was working non-stop on our behalf."

Progent worked together with the customer to quickly understand and prioritize the mission critical systems that had to be restored in order to continue departmental functions:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes incident response industry best practices by isolating and clearing infected systems. Progent then began the work of restoring Microsoft AD, the key technology of enterprise networks built on Microsoft technology. Exchange messaging will not work without Windows AD, and the businesses� MRP system leveraged Microsoft SQL, which depends on Active Directory services for security authorization to the data.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then charged ahead with setup and storage recovery of the most important systems. All Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Offline Folder Files) on user workstations and laptops to recover mail data. A recent off-line backup of the customer�s manufacturing systems made it possible to return these vital programs back online for users. Although significant work remained to recover completely from the Ryuk virus, essential systems were returned to operations quickly:


"For the most part, the assembly line operation did not miss a beat and we made all customer orders."

Throughout the following couple of weeks important milestones in the restoration process were achieved in close cooperation between Progent team members and the customer:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the user desktops and notebooks were functioning as before the incident.

"So much of what occurred that first week is mostly a haze for me, but I will not soon forget the countless hours each and every one of your team put in to help get our company back. I�ve entrusted Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This situation was the most impressive ever."

Conclusion
A likely business-killing disaster was avoided with results-oriented experts, a wide spectrum of knowledge, and tight collaboration. Although in post mortem the ransomware virus penetration detailed here would have been blocked with up-to-date security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed security procedures for data backup and applying software patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of professionals has proven experience in crypto-ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it past the initial push. Everyone did an incredible job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Barra da Tijuca a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate modern AI technology to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the entire malware attack progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software companies to create ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable non-disruptive backup and rapid recovery of critical files/folders, apps, images, plus VMs. ProSight DPS helps you recover from data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned employees, or application glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to deliver web-based management and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper layer of inspection for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to diagram, monitor, optimize and troubleshoot their connectivity hardware like routers, firewalls, and access points plus servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating complex network management activities, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating appliances that need critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent’s server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your assigned Progent engineering consultant so any potential issues can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to a different hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you’re making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based analysis tools to guard endpoints as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud resources and provides a unified platform to manage the entire malware attack progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Support Center managed services enable your information technology team to outsource Help Desk services to Progent or split responsibilities for support services seamlessly between your in-house network support team and Progent's nationwide pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless extension of your corporate network support resources. End user access to the Service Desk, provision of support services, problem escalation, ticket generation and tracking, efficiency measurement, and management of the support database are consistent whether incidents are taken care of by your internal support resources, by Progent's team, or both. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and affordable solution for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. In addition to optimizing the security and functionality of your computer network, Progent's patch management services free up time for your IT team to focus on more strategic initiatives and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you sign into a protected application and enter your password you are requested to confirm your identity via a device that only you possess and that uses a different network channel. A broad range of out-of-band devices can be utilized as this added means of ID validation including a smartphone or wearable, a hardware token, a landline phone, etc. You can register multiple validation devices. For details about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.
For 24-7 Barra da Tijuca Crypto Removal Help, contact Progent at 800-462-8800 or go to Contact Progent.