Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations unprepared for an attack. Different iterations of ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more unnamed newcomers, not only do encryption of on-line data but also infiltrate any accessible system protection mechanisms. Files synched to off-site disaster recovery sites can also be held hostage. In a vulnerable environment, it can render automatic restoration useless and basically knocks the datacenter back to zero.

Restoring applications and information following a crypto-ransomware outage becomes a race against the clock as the targeted organization struggles to stop the spread, clear the crypto-ransomware, and restore mission-critical activity. Due to the fact that ransomware requires time to replicate, attacks are often sprung on weekends and holidays, when successful penetrations are likely to take longer to recognize. This compounds the difficulty of quickly mobilizing and orchestrating a capable response team.

Progent has a range of support services for securing organizations from crypto-ransomware attacks. Among these are user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning technology from SentinelOne to detect and disable day-zero threats rapidly. Progent also provides the services of experienced ransomware recovery professionals with the track record and perseverance to restore a compromised network as soon as possible.

Progent's Ransomware Recovery Support Services
Following a crypto-ransomware event, paying the ransom in cryptocurrency does not ensure that distant criminals will return the needed codes to decrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The alternative is to re-install the critical parts of your Information Technology environment. Without access to complete data backups, this calls for a broad complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is completed.

For twenty years, Progent has offered professional Information Technology services for businesses throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of experience gives Progent the skills to quickly understand critical systems and re-organize the remaining components of your computer network environment following a ransomware event and assemble them into an operational system.

Progent's security group has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent knows the urgency of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to put key services back online as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Incident Restoration
A client escalated to Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean government sponsored hackers, suspected of using algorithms leaked from America's National Security Agency. Ryuk seeks specific businesses with little ability to sustain operational disruption and is among the most lucrative instances of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has about 500 workers. The Ryuk penetration had brought down all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were damaged. The client considered paying the ransom demand (exceeding $200K) and praying for the best, but in the end brought in Progent.


"I can't say enough about the support Progent gave us during the most fearful period of (our) company's life. We most likely would have paid the criminal gangs except for the confidence the Progent group gave us. That you were able to get our messaging and key applications back online faster than a week was earth shattering. Every single staff member I got help from or messaged at Progent was amazingly focused on getting us back online and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly identify and prioritize the most important areas that needed to be addressed to make it possible to continue company operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then began the steps of rebuilding Windows Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the client's accounting and MRP applications utilized Microsoft SQL Server, which needs Windows AD for security authorization to the information.

Within 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then initiated rebuilding and storage recovery of critical applications. All Exchange data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Off-Line Data Files) on user desktop computers in order to recover email messages. A not too old offline backup of the businesses financials/ERP software made it possible to restore these vital services back servicing users. Although significant work was left to recover completely from the Ryuk attack, core services were returned to operations rapidly:


"For the most part, the production operation was never shut down and we made all customer deliverables."

During the following few weeks important milestones in the recovery process were completed through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory functions were fully restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the user PCs were functioning as before the incident.

"A huge amount of what happened in the initial days is nearly entirely a fog for me, but our team will not soon forget the countless hours all of you accomplished to give us our company back. I've been working with Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A possible business extinction disaster was avoided through the efforts of dedicated professionals, a broad range of knowledge, and close teamwork. Although in post mortem the ransomware virus penetration detailed here should have been disabled with advanced cyber security technology solutions and NIST Cybersecurity Framework best practices, user training, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we made it past the most critical parts. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in São Paulo a range of online monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect new strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that any potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-based solution for managing your client-server infrastructure by providing tools for performing common time-consuming tasks. These can include health monitoring, patch management, automated remediation, endpoint configuration, backup and recovery, A/V response, secure remote access, standard and custom scripts, asset inventory, endpoint profile reporting, and debugging help. If ProSight LAN Watch with NinjaOne RMM identifies a serious problem, it sends an alarm to your designated IT management staff and your assigned Progent technical consultant so that potential issues can be taken care of before they impact productivity. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding appliances that need important updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time management reporting utilities designed to integrate with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup/restore technology providers to create ProSight Data Protection Services, a selection of offerings that provide backup-as-a-service. ProSight DPS services automate and track your backup operations and allow transparent backup and rapid recovery of vital files/folders, applications, images, plus virtual machines. ProSight DPS helps you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to deliver centralized management and comprehensive security for all your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of inspection for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected online account and give your password you are requested to confirm who you are on a unit that only you possess and that uses a separate network channel. A wide selection of devices can be used as this second form of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple validation devices. To find out more about Duo identity authentication services, see Duo MFA two-factor authentication services for access security.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Support Desk services permit your information technology team to outsource Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal support group and Progent's nationwide pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your corporate IT support team. End user access to the Service Desk, delivery of support, problem escalation, ticket creation and tracking, performance metrics, and maintenance of the support database are consistent regardless of whether issues are resolved by your corporate IT support organization, by Progent, or both. Learn more about Progent's outsourced/shared Service Desk services.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior machine learning tools to defend endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and email phishing, which easily evade legacy signature-matching anti-virus tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to address the entire threat progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a versatile and affordable alternative for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to optimizing the protection and functionality of your IT network, Progent's patch management services free up time for your IT staff to focus on line-of-business initiatives and activities that deliver the highest business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a single platform to address the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that allows you prove compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
For 24/7 São Paulo Crypto-Ransomware Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.