Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that presents an existential threat for organizations poorly prepared for an attack. Different iterations of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as daily unnamed newcomers, not only encrypt on-line data but also infiltrate most available system backups. Data synched to the cloud can also be rendered useless. In a poorly architected data protection solution, this can render automatic recovery hopeless and effectively sets the network back to square one.

Recovering services and data after a ransomware intrusion becomes a sprint against time as the targeted organization struggles to stop lateral movement and clear the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware needs time to spread, assaults are often launched on weekends and holidays, when attacks typically take longer to uncover. This multiplies the difficulty of promptly marshalling and organizing an experienced mitigation team.

Progent offers a range of services for securing organizations from ransomware penetrations. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security appliances with artificial intelligence technology from SentinelOne to discover and suppress day-zero threats automatically. Progent also can provide the services of seasoned crypto-ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as rapidly as possible.

Progent's Ransomware Restoration Help
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decrypt any of your data. Kaspersky determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the essential elements of your Information Technology environment. Without access to essential information backups, this calls for a wide range of IT skills, professional team management, and the ability to work non-stop until the job is over.

For twenty years, Progent has offered expert IT services for companies in Curitiba and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise affords Progent the ability to quickly understand necessary systems and organize the remaining components of your network system after a ransomware event and assemble them into a functioning network.

Progent's recovery team of experts utilizes top notch project management applications to coordinate the complex recovery process. Progent appreciates the importance of acting rapidly and in concert with a customer's management and Information Technology staff to prioritize tasks and to put the most important services back on line as fast as possible.

Case Study: A Successful Crypto-Ransomware Penetration Recovery
A customer hired Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, suspected of using algorithms leaked from America's NSA organization. Ryuk goes after specific businesses with little tolerance for operational disruption and is one of the most profitable iterations of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk event had brought down all business operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end reached out to Progent.


"I can't say enough in regards to the care Progent gave us during the most critical time of (our) businesses life. We most likely would have paid the criminal gangs if not for the confidence the Progent team gave us. The fact that you could get our messaging and critical applications back in less than 1 week was amazing. Each expert I interacted with or e-mailed at Progent was laser focused on getting us working again and was working day and night on our behalf."

Progent worked with the client to rapidly understand and assign priority to the most important services that needed to be restored in order to restart business operations:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To begin, Progent followed Anti-virus penetration response industry best practices by stopping the spread and removing active viruses. Progent then began the process of bringing back online Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the client's MRP system utilized SQL Server, which needs Active Directory services for security authorization to the databases.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of key applications. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on team PCs and laptops in order to recover email messages. A not too old offline backup of the businesses financials/ERP software made them able to return these required services back online. Although major work needed to be completed to recover completely from the Ryuk virus, critical services were recovered quickly:


"For the most part, the production operation did not miss a beat and we made all customer sales."

Throughout the following month critical milestones in the recovery process were accomplished in tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Exchange Server with over four million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the desktops and laptops were being used by staff.

"Much of what went on those first few days is nearly entirely a fog for me, but our team will not soon forget the urgency each and every one of the team put in to give us our business back. I've been working with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential company-ending catastrophe was dodged with top-tier professionals, a wide array of subject matter expertise, and tight collaboration. Although in retrospect the ransomware incident described here could have been identified and disabled with up-to-date security technology solutions and best practices, user and IT administrator education, and well thought out security procedures for information backup and applying software patches, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I'm grateful for making it so I could get rested after we made it past the initial fire. All of you did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Curitiba a portfolio of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to detect zero-day strains of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to manage the complete malware attack lifecycle including protection, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP deployment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also assist your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and enable non-disruptive backup and fast recovery of vital files, apps, system images, plus virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, human error, malicious employees, or application bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to deliver web-based management and world-class protection for your email traffic. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper layer of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and debug their connectivity hardware like routers and switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that require critical software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior machine learning tools to defend endpoint devices and servers and VMs against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. Progent ASM services protect on-premises and cloud resources and provides a single platform to automate the entire threat progression including filtering, detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Support Center services allow your IT group to outsource Call Center services to Progent or split activity for Service Desk support seamlessly between your in-house support staff and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your corporate support team. Client access to the Help Desk, provision of support services, escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are cohesive whether issues are taken care of by your core support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. In addition to maximizing the security and reliability of your IT environment, Progent's patch management services free up time for your in-house IT team to concentrate on more strategic initiatives and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation on iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and enter your password you are asked to verify who you are via a device that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be utilized for this added form of ID validation such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can register multiple verification devices. To learn more about Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time management reporting plug-ins created to work with the top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Curitiba 24x7x365 Crypto Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.