Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an extinction-level danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to inflict destruction. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with more as yet unnamed viruses, not only encrypt on-line files but also infect all accessible system backups. Information replicated to cloud environments can also be corrupted. In a poorly designed environment, this can make any restore operations hopeless and effectively knocks the network back to zero.

Retrieving services and information following a ransomware event becomes a race against time as the targeted organization fights to stop the spread and remove the crypto-ransomware and to restore mission-critical activity. Because ransomware takes time to move laterally, penetrations are frequently sprung on weekends, when successful penetrations may take longer to uncover. This compounds the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent has an assortment of support services for protecting businesses from crypto-ransomware penetrations. These include user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security appliances with AI technology from SentinelOne to detect and quarantine day-zero cyber threats rapidly. Progent also offers the assistance of seasoned ransomware recovery consultants with the skills and perseverance to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the keys to decipher all your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the mission-critical elements of your IT environment. Without the availability of full data backups, this requires a wide complement of skills, top notch project management, and the capability to work continuously until the recovery project is complete.

For decades, Progent has offered expert Information Technology services for companies in Guarulhos and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience provides Progent the skills to rapidly identify important systems and re-organize the remaining pieces of your network environment following a ransomware penetration and configure them into a functioning network.

Progent's security group has best of breed project management applications to coordinate the complicated recovery process. Progent appreciates the importance of working quickly and together with a customer's management and Information Technology staff to prioritize tasks and to get essential applications back online as soon as possible.

Customer Story: A Successful Ransomware Penetration Restoration
A client escalated to Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored hackers, suspected of using strategies leaked from America's National Security Agency. Ryuk goes after specific businesses with little or no tolerance for disruption and is one of the most profitable versions of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had shut down all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I cannot tell you enough about the support Progent provided us during the most stressful period of (our) businesses life. We may have had to pay the Hackers except for the confidence the Progent team gave us. The fact that you were able to get our messaging and essential applications back into operation quicker than five days was incredible. Each expert I talked with or e-mailed at Progent was totally committed on getting our system up and was working non-stop to bail us out."

Progent worked together with the customer to quickly determine and prioritize the critical areas that needed to be recovered in order to resume company functions:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then started the steps of bringing back online Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the client's accounting and MRP applications leveraged SQL Server, which needs Active Directory services for authentication to the database.

Within two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then completed rebuilding and storage recovery of key systems. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Offline Folder Files) on staff workstations in order to recover email messages. A recent off-line backup of the customer's manufacturing software made them able to recover these essential applications back on-line. Although significant work remained to recover fully from the Ryuk virus, core systems were restored rapidly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer orders."

Throughout the following month important milestones in the recovery project were achieved in close cooperation between Progent consultants and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • Ninety percent of the user workstations were fully operational.

"A huge amount of what occurred in the initial days is mostly a haze for me, but my team will not forget the commitment all of your team put in to help get our company back. I have been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A likely business disaster was dodged through the efforts of results-oriented professionals, a wide array of technical expertise, and tight teamwork. Although in retrospect the crypto-ransomware virus attack detailed here would have been identified and blocked with up-to-date cyber security solutions and ISO/IEC 27001 best practices, user education, and well thought out security procedures for data backup and proper patching controls, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for allowing me to get some sleep after we made it through the first week. All of you did an fabulous effort, and if any of your team is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Guarulhos a portfolio of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover new strains of crypto-ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV products. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup software providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup processes and enable non-disruptive backup and rapid restoration of critical files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, human error, ill-intentioned employees, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to deliver centralized control and comprehensive security for all your email traffic. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, track, enhance and troubleshoot their connectivity appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that network maps are always current, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating complex management processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that need critical software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system running at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT staff and your Progent consultant so that all potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based analysis tools to guard endpoint devices and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to manage the entire malware attack lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Help Desk managed services enable your information technology staff to offload Support Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house support group and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth extension of your internal support team. End user interaction with the Service Desk, delivery of support, problem escalation, trouble ticket generation and tracking, performance measurement, and maintenance of the support database are cohesive whether incidents are resolved by your internal support organization, by Progent, or both. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your dynamic information network. Besides optimizing the protection and reliability of your computer network, Progent's software/firmware update management services allow your in-house IT staff to concentrate on line-of-business projects and tasks that deliver the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you sign into a secured application and enter your password you are asked to confirm your identity via a unit that only you have and that uses a separate network channel. A wide range of devices can be used as this added form of ID validation including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can register multiple verification devices. For details about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
For Guarulhos 24/7/365 Crypto-Ransomware Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.