Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses of all sizes unprepared for an assault. Different versions of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause damage. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as more as yet unnamed malware, not only encrypt online data but also infiltrate all accessible system backups. Data synchronized to the cloud can also be held hostage. In a vulnerable environment, it can make automatic restoration useless and effectively knocks the datacenter back to square one.

Getting back online services and information after a crypto-ransomware intrusion becomes a race against time as the targeted organization struggles to contain the damage, remove the crypto-ransomware, and restore enterprise-critical operations. Because ransomware requires time to replicate, assaults are often sprung on weekends, when successful attacks are likely to take more time to recognize. This compounds the difficulty of promptly marshalling and coordinating a knowledgeable mitigation team.

Progent makes available an assortment of help services for protecting organizations from crypto-ransomware events. These include staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with machine learning technology from SentinelOne to discover and suppress zero-day cyber threats quickly. Progent in addition offers the services of experienced ransomware recovery professionals with the skills and perseverance to re-deploy a compromised environment as urgently as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware invasion, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the codes to decipher any of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The fallback is to piece back together the key elements of your IT environment. Without the availability of essential data backups, this requires a wide complement of skill sets, well-coordinated team management, and the capability to work 24x7 until the task is completed.

For twenty years, Progent has offered expert IT services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise provides Progent the capability to efficiently determine necessary systems and re-organize the surviving parts of your network system following a ransomware penetration and rebuild them into an operational system.

Progent's recovery team of experts has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent knows the importance of acting swiftly and together with a customer's management and Information Technology staff to prioritize tasks and to get the most important applications back on line as fast as possible.

Case Study: A Successful Ransomware Attack Restoration
A small business sought out Progent after their company was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state hackers, possibly using approaches exposed from America's NSA organization. Ryuk attacks specific organizations with little tolerance for disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area with around 500 workers. The Ryuk penetration had brought down all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the beginning of the attack and were damaged. The client considered paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot speak enough in regards to the help Progent provided us during the most stressful time of (our) businesses survival. We may have had to pay the Hackers if not for the confidence the Progent team provided us. The fact that you could get our messaging and important applications back on-line faster than seven days was incredible. Each staff member I talked with or texted at Progent was absolutely committed on getting my company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the client to rapidly assess and assign priority to the most important areas that needed to be recovered to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Financials/MRP
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then started the work of bringing back online Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the businesses' MRP system used SQL Server, which depends on Windows AD for authentication to the database.

In less than two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery of the most important servers. All Microsoft Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Offline Data Files) on various workstations and laptops to recover email information. A recent off-line backup of the businesses accounting software made it possible to recover these vital programs back available to users. Although major work remained to recover completely from the Ryuk damage, the most important systems were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we made all customer orders."

Over the following month important milestones in the recovery process were accomplished in tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Server exceeding 4 million archived emails was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were fully operational.
  • A new Palo Alto 850 firewall was deployed.
  • Most of the user desktops and notebooks were being used by staff.

"Much of what occurred in the initial days is nearly entirely a blur for me, but my management will not forget the care each and every one of the team put in to help get our company back. I've been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A potential company-ending disaster was avoided by hard-working professionals, a wide range of technical expertise, and close collaboration. Although upon completion of forensics the ransomware incident detailed here would have been blocked with modern security technology solutions and security best practices, team training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), I'm grateful for allowing me to get some sleep after we got over the initial fire. All of you did an incredible effort, and if anyone is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Recife a range of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover zero-day strains of crypto-ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Top features include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent can also help your company to install and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology providers to create ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup operations and allow transparent backup and fast recovery of important files/folders, apps, images, plus VMs. ProSight DPS helps you protect against data loss resulting from equipment breakdown, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to provide centralized management and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map, track, optimize and debug their connectivity hardware such as switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that need important software patches, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network running efficiently by checking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that any potential problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to defend endpoints as well as servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and offers a single platform to automate the complete threat lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Call Center managed services permit your information technology staff to offload Help Desk services to Progent or split responsibilities for support services transparently between your in-house network support resources and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a smooth supplement to your core network support group. Client access to the Service Desk, provision of technical assistance, escalation, ticket creation and tracking, performance metrics, and management of the service database are cohesive whether incidents are taken care of by your in-house support organization, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a flexible and affordable alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. Besides maximizing the security and functionality of your IT environment, Progent's patch management services permit your in-house IT staff to focus on more strategic projects and tasks that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity confirmation with iOS, Android, and other personal devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are requested to confirm who you are via a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized as this added means of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple verification devices. For more information about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time management reporting utilities created to work with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7 Recife Ransomware Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.