Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that presents an extinction-level threat for businesses poorly prepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause damage. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus more unnamed malware, not only do encryption of online information but also infect all available system restores and backups. Files synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable environment, this can make automated restoration impossible and basically knocks the datacenter back to zero.

Retrieving applications and data following a crypto-ransomware outage becomes a race against the clock as the targeted business tries its best to contain and remove the virus and to resume business-critical activity. Due to the fact that ransomware needs time to replicate, penetrations are often sprung at night, when successful attacks are likely to take more time to uncover. This compounds the difficulty of promptly marshalling and coordinating a qualified mitigation team.

Progent provides a variety of help services for protecting businesses from ransomware attacks. These include team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with artificial intelligence capabilities from SentinelOne to detect and suppress day-zero cyber threats quickly. Progent also can provide the services of veteran crypto-ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom in cryptocurrency does not ensure that merciless criminals will return the keys to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their files after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the vital elements of your IT environment. Absent the availability of complete system backups, this requires a broad complement of skill sets, well-coordinated team management, and the capability to work non-stop until the recovery project is finished.

For decades, Progent has made available expert Information Technology services for companies in Guarulhos and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience affords Progent the skills to quickly understand necessary systems and integrate the remaining components of your computer network environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's ransomware team of experts deploys best of breed project management tools to coordinate the complex recovery process. Progent knows the importance of acting rapidly and together with a customer's management and Information Technology team members to assign priority to tasks and to put essential applications back online as soon as possible.

Business Case Study: A Successful Ransomware Incident Response
A customer engaged Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state cybercriminals, possibly using strategies leaked from the United States National Security Agency. Ryuk attacks specific businesses with limited room for disruption and is one of the most lucrative instances of ransomware viruses. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with around 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.


"I can't thank you enough in regards to the expertise Progent gave us throughout the most critical period of (our) businesses survival. We would have paid the criminal gangs if it wasn't for the confidence the Progent experts afforded us. That you were able to get our messaging and key applications back online quicker than a week was incredible. Each expert I got help from or e-mailed at Progent was totally committed on getting our system up and was working all day and night to bail us out."

Progent worked hand in hand the client to rapidly identify and prioritize the essential systems that had to be addressed in order to continue business operations:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to Anti-virus incident response industry best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the steps of rebuilding Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customer's financials and MRP software used Microsoft SQL Server, which needs Windows AD for authentication to the database.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then performed reinstallations and hard drive recovery of critical applications. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops to recover email data. A recent off-line backup of the client's financials/MRP systems made it possible to return these essential services back available to users. Although a large amount of work was left to recover fully from the Ryuk virus, core systems were recovered quickly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer sales."

Throughout the next few weeks key milestones in the restoration project were accomplished through close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server with over 4 million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were completely functional.
  • A new Palo Alto 850 firewall was set up.
  • Most of the user PCs were operational.

"So much of what transpired in the initial days is mostly a blur for me, but our team will not forget the dedication each of your team accomplished to give us our company back. I've entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This event was a life saver."

Conclusion
A potential business-killing catastrophe was dodged due to top-tier professionals, a broad array of technical expertise, and tight collaboration. Although in post mortem the ransomware virus incident detailed here could have been blocked with advanced security systems and ISO/IEC 27001 best practices, staff education, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), I'm grateful for letting me get rested after we made it past the most critical parts. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Guarulhos a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to uncover new strains of crypto-ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the entire malware attack progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also assist your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software providers to produce ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup operations and enable non-disruptive backup and fast restoration of important files, applications, images, and VMs. ProSight DPS lets you avoid data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user error, ill-intentioned employees, or software bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to provide web-based management and world-class protection for all your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, reconfigure and debug their networking hardware like routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are always current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding appliances that require critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your assigned Progent engineering consultant so any potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based analysis tools to defend endpoints as well as physical and virtual servers against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Help Center managed services allow your information technology team to outsource Help Desk services to Progent or split activity for support services transparently between your internal support staff and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your in-house support staff. End user interaction with the Help Desk, provision of technical assistance, issue escalation, ticket creation and updates, efficiency measurement, and management of the service database are consistent whether issues are resolved by your internal support organization, by Progent, or both. Read more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. In addition to maximizing the security and reliability of your IT network, Progent's patch management services free up time for your IT staff to focus on line-of-business initiatives and activities that derive the highest business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected application and enter your password you are requested to verify who you are on a device that only you possess and that uses a different network channel. A wide range of devices can be utilized as this added means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple verification devices. For more information about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time reporting tools designed to work with the top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Guarulhos Crypto Remediation Services, contact Progent at 800-462-8800 or go to Contact Progent.