Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses vulnerable to an attack. Versions of crypto-ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with daily as yet unnamed viruses, not only encrypt online critical data but also infect all available system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, it can make automated restoration useless and basically sets the datacenter back to square one.

Retrieving programs and information following a crypto-ransomware attack becomes a sprint against time as the victim tries its best to stop lateral movement and clear the ransomware and to restore business-critical operations. Due to the fact that ransomware needs time to move laterally, assaults are usually launched during weekends and nights, when penetrations in many cases take longer to discover. This compounds the difficulty of promptly assembling and organizing an experienced response team.

Progent provides a range of help services for securing businesses from crypto-ransomware attacks. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with machine learning technology from SentinelOne to identify and quarantine zero-day cyber attacks intelligently. Progent in addition offers the services of veteran ransomware recovery engineers with the skills and perseverance to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Services
After a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the codes to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the vital components of your Information Technology environment. Absent access to essential system backups, this calls for a broad range of IT skills, top notch project management, and the ability to work non-stop until the recovery project is done.

For two decades, Progent has made available expert IT services for companies in Curitiba and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise provides Progent the skills to efficiently ascertain necessary systems and re-organize the surviving pieces of your computer network system following a ransomware penetration and assemble them into a functioning system.

Progent's recovery group utilizes best of breed project management tools to coordinate the complex restoration process. Progent appreciates the importance of acting rapidly and together with a client's management and IT staff to assign priority to tasks and to put critical applications back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Recovery
A business hired Progent after their organization was taken over by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, possibly using strategies exposed from the U.S. National Security Agency. Ryuk goes after specific companies with limited room for operational disruption and is among the most profitable iterations of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with around 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end brought in Progent.


"I cannot thank you enough in regards to the care Progent gave us throughout the most stressful time of (our) company's life. We would have paid the criminal gangs except for the confidence the Progent group provided us. That you could get our messaging and key servers back online faster than 1 week was earth shattering. Each staff member I talked with or e-mailed at Progent was laser focused on getting our company operational and was working all day and night to bail us out."

Progent worked with the client to rapidly understand and prioritize the most important applications that had to be recovered in order to resume business operations:

  • Microsoft Active Directory
  • Email
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes event mitigation industry best practices by halting the spread and clearing infected systems. Progent then started the task of restoring Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the businesses' financials and MRP software utilized Microsoft SQL Server, which requires Active Directory for authentication to the information.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then helped perform setup and hard drive recovery on needed servers. All Exchange data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Offline Folder Files) on various PCs in order to recover mail information. A not too old offline backup of the businesses financials/ERP software made it possible to return these vital programs back online. Although significant work needed to be completed to recover fully from the Ryuk damage, essential systems were returned to operations quickly:


"For the most part, the assembly line operation was never shut down and we made all customer orders."

During the next few weeks important milestones in the recovery process were completed through close cooperation between Progent engineers and the client:

  • In-house web applications were restored with no loss of data.
  • The MailStore Server exceeding four million historical messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were completely operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Most of the desktops and laptops were being used by staff.

"A huge amount of what transpired those first few days is mostly a haze for me, but I will not soon forget the commitment each and every one of you put in to give us our business back. I have trusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This event was a life saver."

Conclusion
A potential business extinction catastrophe was averted with dedicated professionals, a broad range of knowledge, and close teamwork. Although upon completion of forensics the ransomware incident described here would have been identified and blocked with advanced cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out incident response procedures for information protection and proper patching controls, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it past the initial fire. Everyone did an amazing effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Curitiba a variety of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation AI capability to detect new strains of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire threat progression including filtering, identification, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent managed from a single control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also help you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software companies to produce ProSight Data Protection Services (DPS), a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your backup processes and enable transparent backup and fast restoration of vital files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious insiders, or software bugs. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security vendors to deliver web-based control and world-class protection for all your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, monitor, enhance and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers plus servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that require important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT management staff and your assigned Progent consultant so all looming issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior analysis technology to guard endpoint devices and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a single platform to address the complete malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Support Desk managed services enable your information technology staff to outsource Call Center services to Progent or split responsibilities for support services seamlessly between your in-house network support group and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth supplement to your corporate network support group. End user access to the Service Desk, delivery of technical assistance, issue escalation, ticket generation and tracking, performance metrics, and maintenance of the service database are consistent regardless of whether incidents are resolved by your in-house network support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a flexible and affordable alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your dynamic information system. Besides optimizing the security and reliability of your IT environment, Progent's patch management services allow your IT team to concentrate on line-of-business initiatives and activities that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo supports one-tap identity confirmation with iOS, Android, and other personal devices. With Duo 2FA, when you sign into a secured application and give your password you are requested to confirm who you are via a device that only you have and that is accessed using a separate network channel. A wide selection of out-of-band devices can be used for this added form of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple verification devices. For more information about ProSight Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services for access security.
For 24-Hour Curitiba Ransomware Recovery Services, call Progent at 800-462-8800 or go to Contact Progent.