Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an existential danger for businesses vulnerable to an attack. Different versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict damage. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional as yet unnamed malware, not only do encryption of on-line data but also infect any available system restores and backups. Information synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, it can render any restoration hopeless and effectively knocks the datacenter back to square one.

Recovering services and information after a ransomware event becomes a race against time as the targeted organization fights to contain and cleanup the virus and to resume enterprise-critical activity. Since ransomware needs time to spread, penetrations are frequently launched at night, when successful penetrations are likely to take longer to uncover. This compounds the difficulty of promptly mobilizing and organizing an experienced response team.

Progent makes available a range of solutions for securing enterprises from ransomware attacks. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with artificial intelligence technology from SentinelOne to discover and extinguish new cyber attacks quickly. Progent in addition offers the assistance of expert ransomware recovery consultants with the talent and commitment to restore a compromised system as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the codes to unencrypt all your information. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the mission-critical elements of your Information Technology environment. Without the availability of essential system backups, this calls for a wide complement of skills, well-coordinated project management, and the ability to work 24x7 until the job is done.

For two decades, Progent has provided certified expert Information Technology services for businesses in Curitiba and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience provides Progent the capability to efficiently identify important systems and integrate the surviving parts of your computer network environment following a ransomware event and configure them into an operational network.

Progent's security team uses state-of-the-art project management applications to orchestrate the complex recovery process. Progent understands the urgency of acting swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to put essential services back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A small business contacted Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, suspected of adopting strategies leaked from the United States NSA organization. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most lucrative examples of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end made the decision to use Progent.


"I cannot say enough about the care Progent provided us throughout the most critical time of (our) businesses life. We would have paid the criminal gangs if not for the confidence the Progent group provided us. That you were able to get our e-mail system and key applications back into operation faster than five days was amazing. Each person I talked with or e-mailed at Progent was absolutely committed on getting our system up and was working at all hours to bail us out."

Progent worked with the customer to quickly identify and assign priority to the critical elements that needed to be restored in order to resume departmental operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes event response best practices by halting lateral movement and cleaning systems of viruses. Progent then started the task of restoring Microsoft AD, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the businesses' MRP system leveraged Microsoft SQL, which requires Active Directory services for security authorization to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery on key systems. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Data Files) on user desktop computers to recover mail information. A recent offline backup of the customer's accounting software made it possible to return these required programs back on-line. Although significant work was left to recover fully from the Ryuk attack, essential systems were restored rapidly:


"For the most part, the production line operation showed little impact and we produced all customer sales."

Over the next month key milestones in the restoration process were made in tight cooperation between Progent consultants and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory capabilities were 100% operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the user desktops and notebooks were being used by staff.

"A lot of what was accomplished in the initial days is mostly a blur for me, but my management will not forget the commitment each and every one of you put in to give us our business back. I have been working with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable business disaster was averted due to dedicated experts, a broad range of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack described here could have been stopped with current security technology solutions and best practices, staff education, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we got over the initial push. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Curitiba a portfolio of remote monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services utilize next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your organization's unique needs and that allows you prove compliance with government and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services, a selection of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and enable transparent backup and rapid recovery of important files/folders, applications, system images, plus virtual machines. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or application bugs. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security companies to provide web-based control and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of inspection for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept current, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding devices that require critical updates, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT personnel and your Progent consultant so that any looming issues can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can save up to 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard endpoints as well as servers and VMs against new malware attacks like ransomware and email phishing, which easily evade legacy signature-based AV products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to automate the entire malware attack progression including protection, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Call Center services allow your information technology staff to offload Support Desk services to Progent or split responsibilities for Help Desk services seamlessly between your in-house support team and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent extension of your corporate support organization. User interaction with the Service Desk, delivery of support services, problem escalation, trouble ticket creation and tracking, performance metrics, and management of the service database are cohesive whether issues are resolved by your corporate support resources, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving information system. In addition to maximizing the protection and reliability of your IT network, Progent's software/firmware update management services permit your in-house IT staff to focus on more strategic initiatives and activities that derive the highest business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. With Duo 2FA, when you sign into a secured application and enter your password you are requested to verify your identity via a device that only you have and that is accessed using a different network channel. A wide range of out-of-band devices can be utilized for this added means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may designate several verification devices. To learn more about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of in-depth reporting tools designed to integrate with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7 Curitiba Ransomware Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.