Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that represents an existential danger for organizations vulnerable to an assault. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause havoc. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with frequent as yet unnamed malware, not only encrypt online data but also infiltrate any configured system backups. Files synchronized to cloud environments can also be rendered useless. In a poorly designed system, this can render automated recovery hopeless and basically sets the datacenter back to square one.

Getting back online services and information following a ransomware event becomes a sprint against time as the targeted organization tries its best to contain the damage and remove the virus and to restore mission-critical operations. Due to the fact that crypto-ransomware requires time to move laterally, assaults are usually sprung on weekends, when successful attacks may take more time to notice. This multiplies the difficulty of promptly marshalling and organizing an experienced response team.

Progent offers an assortment of solutions for protecting enterprises from ransomware attacks. These include user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with machine learning capabilities from SentinelOne to detect and disable new cyber threats quickly. Progent in addition provides the assistance of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a breached network as soon as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the keys to decrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the mission-critical components of your Information Technology environment. Without access to complete data backups, this calls for a wide complement of IT skills, top notch team management, and the ability to work 24x7 until the task is completed.

For two decades, Progent has made available professional Information Technology services for companies in Vitória and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience gives Progent the skills to rapidly ascertain necessary systems and re-organize the surviving pieces of your IT environment following a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team has best of breed project management tools to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and in concert with a customer's management and Information Technology team members to prioritize tasks and to get critical systems back online as fast as possible.

Customer Case Study: A Successful Ransomware Attack Response
A customer engaged Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored hackers, possibly using approaches leaked from the U.S. NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is among the most lucrative versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for good luck, but in the end brought in Progent.


"I can't speak enough about the help Progent gave us during the most stressful time of (our) company's existence. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent group gave us. That you were able to get our messaging and production applications back on-line faster than a week was incredible. Each expert I spoke to or communicated with at Progent was totally committed on getting our company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the client to quickly identify and prioritize the critical applications that had to be addressed in order to resume departmental operations:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting/MRP
To get going, Progent followed Anti-virus event response industry best practices by halting the spread and clearing infected systems. Progent then began the steps of restoring Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the businesses' accounting and MRP system leveraged SQL Server, which requires Active Directory services for security authorization to the databases.

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then accomplished rebuilding and hard drive recovery on the most important servers. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Outlook Email Off-Line Data Files) on team workstations to recover email messages. A not too old offline backup of the customer's accounting software made them able to restore these required services back online for users. Although significant work still had to be done to recover fully from the Ryuk virus, core services were recovered rapidly:


"For the most part, the assembly line operation was never shut down and we made all customer deliverables."

Over the next month key milestones in the recovery project were completed in close collaboration between Progent team members and the client:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 security appliance was deployed.
  • Most of the user desktops and notebooks were back into operation.

"A lot of what happened in the early hours is nearly entirely a blur for me, but my team will not forget the countless hours all of the team accomplished to help get our company back. I've utilized Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A probable company-ending catastrophe was evaded by top-tier experts, a broad range of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus incident described here would have been blocked with advanced cyber security technology solutions and security best practices, team training, and properly executed security procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thank you for allowing me to get some sleep after we made it over the initial push. Everyone did an fabulous job, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Vitória a range of online monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services utilize modern machine learning capability to uncover zero-day strains of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the entire threat lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device control, and web filtering through cutting-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with legal and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software companies to create ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and enable transparent backup and rapid recovery of important files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, user error, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security vendors to provide web-based management and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your network firewall. This reduces your exposure to external threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and access points as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding devices that need important software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that any looming issues can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to half of time spent searching for critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis tools to guard endpoint devices and servers and VMs against new malware attacks like ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to manage the entire malware attack progression including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Support Desk managed services permit your IT staff to offload Support Desk services to Progent or divide activity for Service Desk support transparently between your internal network support team and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth extension of your corporate IT support group. End user access to the Help Desk, provision of support services, issue escalation, ticket generation and tracking, performance metrics, and management of the service database are cohesive regardless of whether incidents are taken care of by your core support group, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving IT system. In addition to optimizing the security and functionality of your computer network, Progent's software/firmware update management services permit your IT staff to focus on more strategic initiatives and activities that deliver the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and enter your password you are requested to verify your identity on a device that only you have and that uses a different network channel. A wide range of out-of-band devices can be utilized as this second form of authentication such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several verification devices. For more information about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of in-depth management reporting plug-ins designed to work with the leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Vitória 24/7 Crypto Cleanup Support Services, contact Progent at 800-462-8800 or go to Contact Progent.