Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that presents an enterprise-level danger for businesses unprepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with daily as yet unnamed newcomers, not only encrypt on-line files but also infect most available system protection. Data synchronized to the cloud can also be corrupted. In a poorly architected environment, it can make any restore operations useless and effectively sets the datacenter back to zero.

Retrieving programs and information after a crypto-ransomware event becomes a sprint against time as the victim tries its best to stop lateral movement and cleanup the crypto-ransomware and to restore mission-critical activity. Because ransomware needs time to replicate, assaults are often launched during nights and weekends, when penetrations typically take more time to recognize. This compounds the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.

Progent provides an assortment of services for securing organizations from crypto-ransomware events. Among these are user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with machine learning capabilities from SentinelOne to detect and quarantine day-zero cyber attacks automatically. Progent also can provide the assistance of expert ransomware recovery consultants with the talent and commitment to rebuild a breached system as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the codes to unencrypt any of your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the mission-critical elements of your IT environment. Absent the availability of full system backups, this calls for a broad complement of skills, professional team management, and the ability to work non-stop until the task is completed.

For decades, Progent has made available certified expert Information Technology services for businesses in Curitiba and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience gives Progent the skills to knowledgably determine critical systems and organize the surviving components of your computer network system after a ransomware penetration and configure them into a functioning network.

Progent's security group deploys state-of-the-art project management tools to coordinate the complicated restoration process. Progent understands the urgency of working swiftly and in concert with a client's management and IT staff to prioritize tasks and to get critical services back online as fast as humanly possible.

Customer Story: A Successful Ransomware Attack Restoration
A customer hired Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored hackers, suspected of using algorithms exposed from the United States National Security Agency. Ryuk attacks specific companies with little or no room for operational disruption and is one of the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200,000) and hoping for good luck, but in the end utilized Progent.


"I can�t speak enough about the expertise Progent gave us throughout the most stressful time of (our) businesses life. We had little choice but to pay the cybercriminals except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and critical servers back faster than one week was something I thought impossible. Every single expert I spoke to or texted at Progent was laser focused on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked together with the customer to quickly understand and assign priority to the essential elements that needed to be restored in order to resume company operations:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting/MRP
To get going, Progent adhered to Anti-virus penetration response industry best practices by halting lateral movement and removing active viruses. Progent then began the steps of recovering Windows Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without AD, and the customer�s accounting and MRP applications leveraged Microsoft SQL, which requires Active Directory for access to the databases.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery of needed servers. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Off-Line Data Files) on team workstations and laptops in order to recover email data. A not too old offline backup of the businesses manufacturing systems made it possible to return these vital programs back servicing users. Although significant work needed to be completed to recover fully from the Ryuk damage, critical services were returned to operations rapidly:


"For the most part, the production operation never missed a beat and we produced all customer sales."

Throughout the following few weeks important milestones in the restoration process were made in tight cooperation between Progent consultants and the client:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory capabilities were 100% functional.
  • A new Palo Alto 850 firewall was installed.
  • 90% of the user PCs were back into operation.

"So much of what happened in the early hours is mostly a haze for me, but my management will not soon forget the care each and every one of your team put in to give us our company back. I have utilized Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A probable enterprise-killing disaster was dodged with results-oriented experts, a broad spectrum of knowledge, and close collaboration. Although in post mortem the ransomware virus penetration described here should have been blocked with current cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get rested after we got through the initial push. Everyone did an amazing job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Curitiba a variety of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate next-generation AI capability to detect zero-day strains of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup software providers to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and monitor your data backup operations and allow transparent backup and fast restoration of important files, applications, system images, and VMs. ProSight DPS lets your business avoid data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security companies to provide web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further level of analysis for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent’s ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map, track, optimize and debug their networking hardware such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, locating appliances that require important software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your assigned Progent consultant so any potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you’re making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis tools to guard endpoints and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. Progent ASM services safeguard local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Call Center managed services permit your information technology group to outsource Call Center services to Progent or split activity for Help Desk services transparently between your internal support staff and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Shared Service Desk provides a seamless supplement to your core support team. User access to the Service Desk, provision of support, escalation, trouble ticket creation and tracking, performance measurement, and management of the support database are consistent whether issues are resolved by your corporate network support resources, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your IT environment, Progent's patch management services free up time for your IT staff to concentrate on more strategic projects and activities that derive maximum business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured application and enter your password you are asked to confirm who you are via a unit that only you possess and that uses a different network channel. A wide selection of devices can be utilized as this added means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can register several validation devices. For details about ProSight Duo identity authentication services, refer to Duo MFA two-factor authentication (2FA) services for access security.
For Curitiba 24-7 Ransomware Removal Services, call Progent at 800-462-8800 or go to Contact Progent.