Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an existential threat for organizations vulnerable to an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict destruction. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus additional as yet unnamed malware, not only encrypt online critical data but also infect most available system restores and backups. Information synchronized to cloud environments can also be rendered useless. In a poorly designed environment, it can render automatic recovery impossible and basically knocks the datacenter back to zero.

Retrieving services and information after a ransomware event becomes a race against the clock as the targeted business fights to contain the damage and eradicate the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware needs time to replicate, assaults are usually launched on weekends, when successful penetrations in many cases take longer to discover. This compounds the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent provides a range of solutions for protecting organizations from ransomware attacks. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with AI capabilities to quickly detect and quarantine zero-day cyber threats. Progent also offers the services of seasoned crypto-ransomware recovery engineers with the talent and perseverance to rebuild a breached network as urgently as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the key components of your Information Technology environment. Absent the availability of full data backups, this calls for a wide range of IT skills, well-coordinated team management, and the ability to work non-stop until the task is completed.

For twenty years, Progent has made available certified expert Information Technology services for businesses in São Paulo and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience affords Progent the skills to efficiently understand necessary systems and organize the remaining parts of your IT environment after a ransomware event and assemble them into an operational network.

Progent's recovery team of experts uses state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent understands the importance of working rapidly and in concert with a customer’s management and IT team members to assign priority to tasks and to get critical systems back on-line as fast as possible.

Client Case Study: A Successful Ransomware Penetration Response
A small business escalated to Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, suspected of using approaches leaked from the U.S. NSA organization. Ryuk attacks specific companies with little tolerance for disruption and is among the most profitable incarnations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in the Chicago metro area and has about 500 employees. The Ryuk attack had frozen all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but ultimately brought in Progent.


"I can’t say enough in regards to the help Progent provided us throughout the most critical time of (our) businesses existence. We would have paid the Hackers if not for the confidence the Progent team gave us. That you were able to get our e-mail and essential servers back on-line faster than five days was incredible. Every single person I worked with or communicated with at Progent was urgently focused on getting our system up and was working day and night on our behalf."

Progent worked hand in hand the customer to rapidly assess and prioritize the critical systems that had to be addressed in order to continue business functions:

  • Microsoft Active Directory
  • Email
  • MRP System
To begin, Progent followed AV/Malware Processes event response industry best practices by halting lateral movement and performing virus removal steps. Progent then started the work of bringing back online Windows Active Directory, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the customer’s accounting and MRP software utilized SQL Server, which needs Windows AD for authentication to the databases.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery on key systems. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Data Files) on user workstations and laptops to recover mail messages. A not too old offline backup of the customer’s financials/ERP software made them able to restore these required programs back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk virus, core services were recovered rapidly:


"For the most part, the assembly line operation did not miss a beat and we produced all customer shipments."

During the next month key milestones in the restoration project were made through close cooperation between Progent consultants and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory Control functions were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the desktop computers were back into operation.

"Much of what transpired those first few days is mostly a fog for me, but my team will not soon forget the urgency all of the team accomplished to give us our business back. I’ve trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This event was no exception but maybe more Herculean."

Conclusion
A potential company-ending catastrophe was evaded by results-oriented professionals, a wide spectrum of IT skills, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here should have been prevented with modern cyber security technology and security best practices, team training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for letting me get rested after we made it through the initial push. Everyone did an impressive effort, and if anyone is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in São Paulo a range of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services include modern machine learning capability to detect zero-day variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates your backup processes and enables fast recovery of vital files, applications and virtual machines that have become unavailable or corrupted as a result of component failures, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, when necessary, can assist you to restore your business-critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security vendors to deliver centralized management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when problems are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, locating devices that require critical software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your assigned Progent consultant so that all potential issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you’re planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24x7 São Paulo Ransomware Cleanup Consultants, contact Progent at 800-993-9400 or go to Contact Progent.