Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an existential threat for businesses unprepared for an attack. Multiple generations of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus frequent as yet unnamed malware, not only do encryption of on-line files but also infiltrate many configured system protection. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly architected system, this can render automated restoration impossible and effectively sets the datacenter back to square one.

Getting back on-line services and information following a ransomware outage becomes a sprint against time as the targeted business tries its best to contain and eradicate the ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are frequently launched at night, when successful penetrations tend to take more time to notice. This multiplies the difficulty of promptly assembling and organizing an experienced response team.

Progent provides a variety of solutions for securing organizations from ransomware events. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to detect and extinguish new cyber attacks rapidly. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the skills and commitment to reconstruct a breached environment as soon as possible.

Progent's Ransomware Recovery Services
After a ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will return the codes to decipher all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the critical elements of your Information Technology environment. Without the availability of full data backups, this calls for a wide range of skill sets, well-coordinated team management, and the capability to work 24x7 until the task is over.

For two decades, Progent has made available certified expert IT services for companies in São Paulo and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience gives Progent the skills to rapidly ascertain necessary systems and organize the surviving components of your IT system after a ransomware event and assemble them into a functioning network.

Progent's ransomware team of experts has state-of-the-art project management tools to orchestrate the sophisticated restoration process. Progent understands the urgency of acting quickly and in concert with a customer�s management and IT resources to prioritize tasks and to put the most important services back online as soon as humanly possible.

Customer Story: A Successful Ransomware Penetration Restoration
A small business contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, possibly using technology leaked from the United States National Security Agency. Ryuk targets specific companies with little or no tolerance for operational disruption and is among the most lucrative instances of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has around 500 employees. The Ryuk event had brought down all essential operations and manufacturing processes. The majority of the client's backups had been online at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but ultimately reached out to Progent.


"I cannot say enough in regards to the support Progent provided us during the most critical period of (our) company�s existence. We had little choice but to pay the cyber criminals except for the confidence the Progent group gave us. The fact that you could get our e-mail and critical applications back quicker than 1 week was earth shattering. Every single consultant I spoke to or e-mailed at Progent was laser focused on getting us operational and was working 24/7 to bail us out."

Progent worked hand in hand the customer to rapidly identify and assign priority to the essential services that had to be recovered to make it possible to restart company functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and clearing infected systems. Progent then initiated the work of bringing back online Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the customer�s financials and MRP software leveraged Microsoft SQL, which depends on Active Directory services for security authorization to the database.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated reinstallations and hard drive recovery on mission critical servers. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Email Off-Line Folder Files) on staff PCs in order to recover email messages. A not too old offline backup of the client's manufacturing systems made it possible to return these required services back on-line. Although a lot of work still had to be done to recover completely from the Ryuk damage, core services were restored rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."

During the following few weeks critical milestones in the restoration project were made through close cooperation between Progent consultants and the customer:

  • Internal web applications were restored with no loss of data.
  • The MailStore Server containing more than four million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were completely functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the desktops and laptops were fully operational.

"Much of what was accomplished in the early hours is nearly entirely a fog for me, but I will not soon forget the commitment all of the team put in to give us our company back. I�ve trusted Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business catastrophe was evaded through the efforts of dedicated experts, a broad spectrum of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware incident detailed here would have been blocked with modern cyber security technology and ISO/IEC 27001 best practices, user education, and properly executed security procedures for information protection and proper patching controls, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I�m grateful for letting me get some sleep after we got through the most critical parts. All of you did an fabulous job, and if any of your team is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in São Paulo a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services utilize modern artificial intelligence technology to uncover new strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely escape legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the entire malware attack progression including blocking, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via leading-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also assist your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software companies to create ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service. ProSight DPS products automate and track your backup operations and allow transparent backup and fast restoration of vital files/folders, apps, images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight DPS portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security vendors to deliver web-based management and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter serves as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of analysis for incoming email. For outbound email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent’s ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating time-consuming network management processes, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT personnel and your assigned Progent engineering consultant so any looming problems can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you’re planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis technology to defend endpoints as well as servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. Progent ASM services protect on-premises and cloud resources and offers a unified platform to manage the entire threat lifecycle including protection, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Desk: Support Desk Managed Services
    Progent's Help Center managed services enable your IT team to offload Call Center services to Progent or split activity for Service Desk support transparently between your in-house network support group and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a transparent extension of your in-house IT support staff. Client access to the Service Desk, delivery of support, problem escalation, ticket creation and tracking, performance measurement, and management of the service database are consistent whether issues are taken care of by your core IT support resources, by Progent, or by a combination. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of all sizes a flexible and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your dynamic IT system. Besides optimizing the security and reliability of your computer environment, Progent's patch management services free up time for your in-house IT team to concentrate on line-of-business projects and activities that derive the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a secured online account and give your password you are requested to verify your identity via a device that only you have and that uses a different ("out-of-band") network channel. A broad range of devices can be used for this second form of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple verification devices. To find out more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.
For São Paulo 24-7 Crypto-Ransomware Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.