Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations poorly prepared for an assault. Multiple generations of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent unnamed viruses, not only do encryption of online data but also infiltrate most accessible system backups. Files synched to the cloud can also be rendered useless. In a poorly designed system, it can render any restoration impossible and basically knocks the datacenter back to zero.

Getting back on-line applications and data after a ransomware outage becomes a sprint against the clock as the targeted organization fights to contain and cleanup the virus and to resume business-critical activity. Due to the fact that crypto-ransomware takes time to spread, attacks are often launched at night, when successful penetrations may take longer to discover. This compounds the difficulty of quickly mobilizing and coordinating a capable mitigation team.

Progent has an assortment of solutions for securing businesses from ransomware penetrations. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with AI technology to quickly discover and extinguish zero-day cyber threats. Progent in addition offers the assistance of experienced ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the codes to decipher any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the essential elements of your IT environment. Without the availability of full data backups, this calls for a wide complement of skills, top notch team management, and the ability to work 24x7 until the task is finished.

For two decades, Progent has offered expert IT services for companies in Curitiba and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience provides Progent the ability to quickly identify necessary systems and consolidate the surviving pieces of your network system after a ransomware penetration and assemble them into an operational system.

Progent's ransomware team utilizes powerful project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in unison with a customer’s management and IT team members to assign priority to tasks and to get the most important services back on-line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state cybercriminals, suspected of using approaches leaked from the United States National Security Agency. Ryuk attacks specific companies with little room for operational disruption and is among the most lucrative examples of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago with around 500 employees. The Ryuk penetration had frozen all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom (more than $200,000) and hoping for the best, but in the end engaged Progent.


"I cannot tell you enough in regards to the help Progent gave us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent group provided us. The fact that you could get our e-mail and important servers back on-line quicker than 1 week was beyond my wildest dreams. Every single expert I interacted with or texted at Progent was laser focused on getting us restored and was working day and night to bail us out."

Progent worked with the customer to quickly identify and prioritize the critical areas that needed to be addressed in order to continue company operations:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To begin, Progent followed Anti-virus incident response best practices by halting lateral movement and clearing infected systems. Progent then initiated the work of restoring Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not work without AD, and the businesses’ accounting and MRP software utilized Microsoft SQL Server, which needs Windows AD for access to the information.

Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then initiated rebuilding and hard drive recovery on needed applications. All Exchange data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Data Files) on user workstations in order to recover mail data. A not too old offline backup of the businesses accounting/ERP systems made them able to restore these vital programs back on-line. Although major work remained to recover fully from the Ryuk attack, the most important services were recovered quickly:


"For the most part, the manufacturing operation was never shut down and we delivered all customer shipments."

During the next couple of weeks critical milestones in the restoration project were accomplished in tight collaboration between Progent consultants and the customer:

  • In-house web applications were restored with no loss of data.
  • The MailStore Server exceeding 4 million archived emails was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100 percent functional.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the user PCs were back into operation.

"Much of what transpired that first week is mostly a fog for me, but my team will not soon forget the urgency each of your team accomplished to help get our business back. I’ve entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable business-killing catastrophe was avoided by top-tier experts, a wide array of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware incident described here should have been identified and prevented with advanced security solutions and security best practices, team training, and appropriate incident response procedures for data protection and applying software patches, the reality is that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get rested after we got through the first week. All of you did an amazing effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Curitiba a variety of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize modern AI capability to uncover new strains of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to automate the complete malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that helps you prove compliance with legal and industry information security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital data, applications and VMs that have become unavailable or corrupted due to component breakdowns, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to configure ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to deliver centralized control and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a further level of inspection for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent’s ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, monitor, optimize and debug their connectivity appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are always current, copies and displays the configuration of almost all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious management processes, WAN Watch can knock hours off common chores like making network diagrams, expanding your network, finding appliances that require important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so that any potential problems can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to a different hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you’re making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7/365 Curitiba Crypto Cleanup Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.