Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for organizations unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict destruction. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus additional as yet unnamed newcomers, not only do encryption of online data files but also infect all accessible system backup. Data synched to the cloud can also be encrypted. In a poorly designed data protection solution, this can make automated restore operations impossible and effectively knocks the network back to zero.

Getting back online programs and information after a crypto-ransomware event becomes a sprint against the clock as the targeted business tries its best to contain the damage, cleanup the ransomware, and restore mission-critical operations. Since ransomware requires time to spread, attacks are usually launched during weekends and nights, when successful attacks typically take more time to recognize. This compounds the difficulty of promptly assembling and orchestrating a knowledgeable response team.

Progent provides an assortment of help services for protecting businesses from ransomware attacks. These include staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security appliances with AI technology from SentinelOne to detect and disable zero-day cyber attacks intelligently. Progent in addition offers the assistance of seasoned crypto-ransomware recovery professionals with the talent and commitment to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decrypt any of your files. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full data backups, this requires a broad range of skills, well-coordinated project management, and the capability to work 24x7 until the task is over.

For decades, Progent has provided certified expert IT services for companies throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the capability to efficiently understand necessary systems and integrate the remaining pieces of your Information Technology environment following a ransomware penetration and assemble them into an operational system.

Progent's ransomware team has best of breed project management systems to coordinate the complex recovery process. Progent appreciates the urgency of working swiftly and in concert with a client's management and Information Technology staff to prioritize tasks and to put essential systems back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Attack Restoration
A business engaged Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, possibly adopting approaches exposed from the United States NSA organization. Ryuk attacks specific organizations with little room for disruption and is one of the most lucrative iterations of ransomware viruses. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area and has around 500 staff members. The Ryuk penetration had shut down all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for the best, but ultimately made the decision to use Progent.


"I can't say enough in regards to the expertise Progent gave us throughout the most fearful period of (our) businesses existence. We may have had to pay the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our messaging and critical servers back on-line quicker than a week was earth shattering. Every single staff member I spoke to or messaged at Progent was totally committed on getting us back online and was working non-stop on our behalf."

Progent worked with the client to quickly identify and prioritize the most important systems that needed to be addressed to make it possible to resume business functions:

  • Windows Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed Anti-virus incident response industry best practices by isolating and cleaning systems of viruses. Progent then began the steps of rebuilding Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL Server, which depends on Active Directory services for access to the database.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery on the most important systems. All Exchange data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Off-Line Folder Files) on user workstations and laptops to recover email information. A recent off-line backup of the client's manufacturing systems made it possible to recover these required applications back online for users. Although a large amount of work was left to recover completely from the Ryuk virus, critical services were restored rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer shipments."

Over the next few weeks important milestones in the restoration process were completed through tight collaboration between Progent engineers and the client:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were fully functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the desktop computers were functioning as before the incident.

"A huge amount of what transpired during the initial response is mostly a blur for me, but we will not forget the commitment each and every one of you accomplished to help get our company back. I've been working with Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible enterprise-killing disaster was averted through the efforts of top-tier experts, a wide range of IT skills, and close teamwork. Although in post mortem the ransomware incident detailed here could have been identified and blocked with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, team training, and well thought out security procedures for data backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we got over the most critical parts. All of you did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Curitiba a variety of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate next-generation machine learning technology to uncover zero-day variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management staff and your Progent consultant so any potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven platform for monitoring and managing your client-server infrastructure by offering an environment for performing common time-consuming tasks. These can include health checking, update management, automated repairs, endpoint configuration, backup and recovery, anti-virus defense, secure remote access, built-in and custom scripts, resource inventory, endpoint status reporting, and debugging support. If ProSight LAN Watch with NinjaOne RMM uncovers a serious issue, it sends an alarm to your designated IT management personnel and your Progent consultant so emerging problems can be taken care of before they impact your network. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, monitor, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating devices that require critical software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time and in-depth management reporting utilities designed to integrate with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your data backup operations and enable non-disruptive backup and fast recovery of critical files, applications, system images, plus VMs. ProSight DPS lets your business avoid data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or software bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide web-based control and comprehensive protection for your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a secured application and give your password you are asked to confirm your identity via a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized as this added means of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. To learn more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication services for access security.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Call Desk services allow your IT team to offload Call Center services to Progent or divide activity for Help Desk services transparently between your internal support resources and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless extension of your core support resources. End user interaction with the Service Desk, provision of technical assistance, escalation, ticket creation and tracking, efficiency metrics, and maintenance of the service database are cohesive whether incidents are taken care of by your in-house support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Call Desk services.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior-based analysis technology to defend endpoints and servers and VMs against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to address the complete threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the security and functionality of your IT environment, Progent's patch management services allow your IT team to concentrate on line-of-business initiatives and activities that derive the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to address the entire malware attack progression including protection, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help you to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
For 24x7 Curitiba Crypto-Ransomware Removal Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.