Ransomware : Your Feared IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that represents an extinction-level threat for organizations poorly prepared for an assault. Different versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as more unnamed viruses, not only do encryption of on-line data files but also infiltrate all available system restores and backups. Files synched to cloud environments can also be corrupted. In a poorly architected data protection solution, this can render automated restore operations hopeless and effectively knocks the datacenter back to zero.

Getting back applications and information following a ransomware outage becomes a race against the clock as the victim fights to contain the damage and clear the crypto-ransomware and to resume enterprise-critical operations. Since ransomware needs time to replicate, assaults are frequently launched during nights and weekends, when attacks are likely to take more time to recognize. This compounds the difficulty of quickly mobilizing and orchestrating a knowledgeable response team.

Progent has a variety of help services for protecting enterprises from crypto-ransomware penetrations. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security solutions with AI technology from SentinelOne to discover and suppress day-zero cyber attacks rapidly. Progent in addition can provide the services of experienced ransomware recovery consultants with the track record and commitment to restore a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed codes to unencrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the key elements of your IT environment. Absent the availability of complete information backups, this requires a broad complement of IT skills, top notch project management, and the capability to work non-stop until the task is completed.

For twenty years, Progent has provided expert IT services for companies in São Paulo and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise gives Progent the capability to knowledgably determine important systems and integrate the remaining parts of your Information Technology system following a ransomware attack and rebuild them into a functioning network.

Progent's security group has state-of-the-art project management systems to orchestrate the complex restoration process. Progent knows the urgency of working rapidly and together with a client's management and Information Technology team members to prioritize tasks and to get critical services back online as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Attack Restoration
A business hired Progent after their network was crashed by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, suspected of adopting approaches exposed from the United States NSA organization. Ryuk goes after specific businesses with little ability to sustain operational disruption and is one of the most lucrative versions of crypto-ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk attack had disabled all business operations and manufacturing processes. The majority of the client's data backups had been online at the time of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately engaged Progent.


"I can't thank you enough about the care Progent provided us throughout the most stressful time of (our) businesses survival. We may have had to pay the Hackers if not for the confidence the Progent experts provided us. That you were able to get our e-mail and production applications back online sooner than 1 week was beyond my wildest dreams. Each staff member I interacted with or texted at Progent was totally committed on getting us restored and was working all day and night on our behalf."

Progent worked with the customer to rapidly get our arms around and prioritize the mission critical elements that had to be recovered to make it possible to resume departmental functions:

  • Active Directory
  • Microsoft Exchange Server
  • MRP System
To start, Progent adhered to ransomware event mitigation best practices by halting lateral movement and performing virus removal steps. Progent then started the process of restoring Microsoft Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businesses' MRP applications leveraged SQL Server, which needs Windows AD for security authorization to the databases.

Within 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on key applications. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Data Files) on team PCs to recover mail information. A recent off-line backup of the client's manufacturing systems made it possible to return these essential programs back servicing users. Although major work remained to recover completely from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer orders."

Throughout the next few weeks key milestones in the restoration process were accomplished through tight collaboration between Progent team members and the client:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Exchange Server containing more than four million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were fully functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user desktops and notebooks were back into operation.

"Much of what transpired during the initial response is nearly entirely a haze for me, but our team will not forget the countless hours each of your team put in to give us our business back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has come through and delivered. This situation was a life saver."

Conclusion
A possible business extinction catastrophe was dodged by top-tier professionals, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the ransomware attack described here would have been identified and prevented with current security technology solutions and best practices, staff training, and well thought out incident response procedures for backup and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of professionals has proven experience in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), I'm grateful for making it so I could get some sleep after we got over the initial fire. All of you did an incredible effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in São Paulo a range of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to manage the entire malware attack lifecycle including protection, detection, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you demonstrate compliance with government and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with advanced backup technology providers to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and track your backup processes and enable transparent backup and fast restoration of critical files/folders, applications, images, and virtual machines. ProSight DPS lets you recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, optimize and debug their connectivity hardware like routers and switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept current, captures and manages the configuration of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that need important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your network running at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management staff and your assigned Progent consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to defend endpoint devices and servers and VMs against modern malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Help Desk services permit your information technology team to offload Call Center services to Progent or divide activity for support services transparently between your in-house support group and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Shared Service Desk provides a seamless extension of your internal network support group. End user access to the Help Desk, provision of support, problem escalation, ticket generation and tracking, efficiency metrics, and management of the support database are cohesive whether issues are resolved by your core IT support organization, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the security and reliability of your computer environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on line-of-business projects and activities that deliver maximum business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Android, and other personal devices. Using 2FA, whenever you log into a protected application and give your password you are requested to confirm your identity on a unit that only you have and that is accessed using a separate network channel. A wide range of devices can be utilized as this second means of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may register multiple verification devices. To learn more about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time and in-depth reporting utilities designed to integrate with the industry's leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7 São Paulo Ransomware Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.