Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyber pandemic that represents an enterprise-level danger for organizations poorly prepared for an attack. Different iterations of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and continue to cause harm. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as additional as yet unnamed viruses, not only encrypt on-line critical data but also infect most available system protection mechanisms. Files synched to cloud environments can also be encrypted. In a poorly architected environment, this can make automated restoration hopeless and effectively sets the datacenter back to square one.

Restoring applications and data after a ransomware attack becomes a race against time as the targeted business struggles to stop lateral movement and remove the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are frequently launched during nights and weekends, when successful penetrations tend to take more time to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent offers a variety of support services for protecting businesses from ransomware attacks. Among these are team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with artificial intelligence technology from SentinelOne to identify and disable zero-day cyber attacks automatically. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the talent and commitment to re-deploy a compromised environment as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the keys to decrypt all your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the essential components of your IT environment. Absent the availability of full information backups, this requires a broad complement of IT skills, well-coordinated team management, and the willingness to work non-stop until the recovery project is completed.

For decades, Progent has offered professional IT services for companies in São Paulo and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently understand critical systems and organize the surviving components of your Information Technology environment following a crypto-ransomware event and assemble them into a functioning network.

Progent's recovery team uses best of breed project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working quickly and together with a client's management and IT staff to assign priority to tasks and to put essential applications back on-line as fast as possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A small business escalated to Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean government sponsored hackers, suspected of using algorithms exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little tolerance for disruption and is one of the most profitable instances of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk intrusion had brought down all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client was taking steps for paying the ransom (exceeding $200,000) and praying for good luck, but in the end utilized Progent.


"I cannot speak enough about the help Progent provided us during the most fearful period of (our) businesses life. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent group gave us. That you were able to get our messaging and important applications back online quicker than 1 week was incredible. Every single staff member I talked with or messaged at Progent was hell bent on getting our system up and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the most important applications that needed to be recovered in order to resume departmental operations:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident mitigation best practices by isolating and cleaning up infected systems. Progent then began the process of recovering Microsoft Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not function without Windows AD, and the customer's financials and MRP software used Microsoft SQL Server, which depends on Windows AD for authentication to the data.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery on needed applications. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST files (Outlook Off-Line Data Files) on team desktop computers to recover email information. A not too old off-line backup of the customer's accounting systems made them able to return these essential applications back online. Although significant work remained to recover completely from the Ryuk damage, the most important systems were restored rapidly:


"For the most part, the production manufacturing operation was never shut down and we delivered all customer orders."

Over the next few weeks key milestones in the restoration process were achieved in close cooperation between Progent team members and the client:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory modules were 100% restored.
  • A new Palo Alto 850 firewall was installed.
  • Most of the user workstations were operational.

"Much of what occurred that first week is nearly entirely a fog for me, but we will not forget the countless hours each of the team accomplished to help get our company back. I've entrusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was a testament to your capabilities."

Conclusion
A likely company-ending disaster was averted by top-tier professionals, a broad spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus incident described here could have been shut down with up-to-date security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for information backup and applying software patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thank you for making it so I could get some sleep after we got over the first week. All of you did an amazing effort, and if anyone is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in São Paulo a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services include next-generation AI capability to uncover new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to automate the complete threat progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help you to install and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology providers to create ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup processes and allow transparent backup and fast recovery of important files/folders, applications, images, plus virtual machines. ProSight DPS helps your business avoid data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to deliver web-based management and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your network firewall. This decreases your exposure to external threats and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of inspection for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, track, enhance and troubleshoot their networking appliances like routers, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that need important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that any potential issues can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. Progent ASM services protect local and cloud resources and offers a single platform to automate the entire malware attack progression including filtering, identification, containment, remediation, and forensics. Top features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Support Desk managed services allow your information technology staff to offload Support Desk services to Progent or split responsibilities for support services seamlessly between your internal network support group and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a smooth extension of your corporate IT support group. Client access to the Service Desk, delivery of support, escalation, ticket creation and tracking, performance measurement, and maintenance of the service database are consistent regardless of whether issues are resolved by your in-house support resources, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your IT network, Progent's patch management services free up time for your IT staff to concentrate on line-of-business projects and tasks that derive maximum business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a secured online account and give your password you are requested to confirm your identity on a device that only you possess and that uses a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized for this added form of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several verification devices. To learn more about Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
For 24-Hour São Paulo Crypto Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.