Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for organizations poorly prepared for an attack. Multiple generations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent as yet unnamed newcomers, not only encrypt online files but also infiltrate most accessible system protection mechanisms. Information synchronized to the cloud can also be encrypted. In a vulnerable data protection solution, it can make automated restore operations hopeless and basically knocks the datacenter back to zero.

Getting back online programs and information after a ransomware event becomes a race against time as the targeted organization tries its best to stop lateral movement and eradicate the crypto-ransomware and to restore enterprise-critical activity. Since ransomware takes time to move laterally, penetrations are frequently sprung on weekends and holidays, when penetrations tend to take more time to recognize. This compounds the difficulty of quickly marshalling and coordinating a capable mitigation team.

Progent has an assortment of services for protecting enterprises from ransomware events. These include team member training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with machine learning capabilities from SentinelOne to detect and suppress day-zero cyber threats quickly. Progent also can provide the services of veteran ransomware recovery professionals with the track record and perseverance to reconstruct a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the needed codes to decipher all your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full data backups, this calls for a wide range of IT skills, top notch team management, and the willingness to work continuously until the task is over.

For twenty years, Progent has provided professional IT services for businesses in São Paulo and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience affords Progent the skills to efficiently ascertain important systems and consolidate the surviving parts of your IT system after a crypto-ransomware event and rebuild them into a functioning network.

Progent's ransomware team of experts has top notch project management tools to orchestrate the complex recovery process. Progent knows the importance of acting quickly and together with a client's management and Information Technology staff to prioritize tasks and to put key applications back on line as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Recovery
A customer engaged Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly adopting approaches leaked from the United States National Security Agency. Ryuk seeks specific organizations with limited ability to sustain operational disruption and is one of the most profitable examples of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and praying for the best, but in the end utilized Progent.


"I cannot tell you enough in regards to the help Progent gave us throughout the most critical time of (our) businesses life. We may have had to pay the cyber criminals if it wasn't for the confidence the Progent group gave us. The fact that you could get our e-mail system and critical servers back into operation faster than one week was beyond my wildest dreams. Each expert I spoke to or e-mailed at Progent was hell bent on getting our system up and was working breakneck pace to bail us out."

Progent worked together with the client to quickly determine and prioritize the critical services that needed to be restored to make it possible to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent followed Anti-virus event mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the work of rebuilding Windows Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the client's financials and MRP system used Microsoft SQL, which requires Active Directory for authentication to the information.

In less than two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery on mission critical servers. All Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on user desktop computers in order to recover email information. A not too old off-line backup of the customer's accounting/ERP software made it possible to restore these required applications back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk attack, essential systems were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer sales."

Throughout the following couple of weeks critical milestones in the recovery project were made through tight collaboration between Progent team members and the client:

  • Internal web applications were restored with no loss of information.
  • The MailStore Server containing more than 4 million historical messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control capabilities were 100% functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user desktops were operational.

"Much of what was accomplished those first few days is mostly a blur for me, but our team will not forget the urgency each of you accomplished to help get our company back. I've utilized Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This event was a life saver."

Conclusion
A potential business-killing disaster was evaded due to hard-working experts, a wide array of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware penetration described here should have been identified and stopped with advanced security systems and recognized best practices, staff education, and properly executed security procedures for data backup and applying software patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for making it so I could get rested after we got through the initial push. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in São Paulo a portfolio of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include next-generation machine learning technology to detect new strains of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry information security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help your company to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and enable non-disruptive backup and rapid restoration of critical files/folders, applications, images, plus virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to provide web-based control and world-class protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device provides a further layer of analysis for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, track, reconfigure and debug their connectivity appliances like routers, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, copies and manages the configuration of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, locating devices that require important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management staff and your assigned Progent consultant so that any potential issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can save up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates cutting edge behavior analysis tools to defend endpoint devices and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily evade traditional signature-based AV tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to manage the entire threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Help Center managed services allow your IT team to outsource Help Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house network support resources and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your corporate support team. User interaction with the Help Desk, delivery of support, escalation, trouble ticket creation and updates, efficiency metrics, and management of the service database are consistent whether issues are taken care of by your corporate support resources, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, implementing, and documenting updates to your dynamic information system. In addition to maximizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT team to focus on line-of-business projects and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a secured application and give your password you are asked to confirm your identity on a unit that only you possess and that uses a separate network channel. A wide range of out-of-band devices can be utilized for this added form of authentication including an iPhone or Android or watch, a hardware token, a landline phone, etc. You can designate several verification devices. To find out more about ProSight Duo identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time and in-depth reporting tools created to work with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For São Paulo 24/7/365 Crypto-Ransomware Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.