Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations vulnerable to an assault. Versions of ransomware such as CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and still cause havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with frequent unnamed newcomers, not only do encryption of online critical data but also infiltrate most accessible system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, it can make automatic recovery useless and effectively knocks the entire system back to zero.

Getting back online applications and data after a ransomware attack becomes a sprint against time as the victim struggles to stop lateral movement and cleanup the ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to spread, assaults are frequently launched on weekends, when penetrations are likely to take more time to uncover. This multiplies the difficulty of promptly assembling and coordinating an experienced response team.

Progent offers a range of services for securing organizations from ransomware events. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to detect and suppress day-zero threats rapidly. Progent in addition offers the services of seasoned ransomware recovery consultants with the track record and perseverance to reconstruct a compromised environment as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to unencrypt any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the key parts of your IT environment. Without access to complete system backups, this requires a wide complement of skill sets, professional project management, and the willingness to work 24x7 until the task is complete.

For two decades, Progent has provided expert Information Technology services for companies in Barra da Tijuca and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to quickly determine critical systems and re-organize the remaining parts of your IT environment after a ransomware attack and configure them into an operational network.

Progent's security group has best of breed project management tools to coordinate the complex recovery process. Progent understands the urgency of working quickly and in unison with a client's management and IT resources to assign priority to tasks and to get critical applications back on-line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Virus Restoration
A business escalated to Progent after their network system was taken over by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state cybercriminals, possibly using approaches exposed from the United States National Security Agency. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is among the most profitable iterations of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had frozen all company operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the attack and were destroyed. The client considered paying the ransom demand (more than $200,000) and hoping for the best, but in the end engaged Progent.


"I cannot thank you enough in regards to the care Progent provided us throughout the most stressful time of (our) businesses existence. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail system and key servers back faster than one week was incredible. Every single expert I worked with or communicated with at Progent was absolutely committed on getting us operational and was working 24 by 7 on our behalf."

Progent worked with the customer to quickly get our arms around and prioritize the most important services that needed to be restored to make it possible to resume company functions:

  • Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware event response best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the process of recovering Microsoft AD, the heart of enterprise environments built upon Microsoft technology. Exchange email will not work without Active Directory, and the businesses' MRP system utilized SQL Server, which needs Windows AD for authentication to the database.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of critical applications. All Exchange ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Folder Files) on various PCs to recover mail data. A not too old off-line backup of the client's financials/ERP systems made them able to restore these vital services back on-line. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were recovered quickly:


"For the most part, the production operation showed little impact and we did not miss any customer deliverables."

Throughout the following couple of weeks important milestones in the recovery process were made through close cooperation between Progent team members and the customer:

  • Internal web applications were brought back up with no loss of information.
  • The MailStore Server exceeding four million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were fully functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Most of the desktop computers were being used by staff.

"A huge amount of what went on those first few days is nearly entirely a fog for me, but I will not soon forget the dedication each of the team put in to give us our business back. I've been working with Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was a life saver."

Conclusion
A potential business-killing catastrophe was averted due to top-tier professionals, a broad range of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus attack described here would have been prevented with current cyber security solutions and ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), I'm grateful for making it so I could get some sleep after we made it past the most critical parts. Everyone did an incredible job, and if anyone is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Barra da Tijuca a variety of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services incorporate next-generation machine learning technology to detect zero-day strains of crypto-ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to address the entire threat lifecycle including filtering, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent's consultants can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable transparent backup and fast restoration of important files/folders, apps, system images, plus virtual machines. ProSight DPS lets you avoid data loss caused by hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide web-based control and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The cloud filter serves as a first line of defense and keeps most threats from making it to your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of inspection for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that need important updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so all looming problems can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information about your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning technology to defend endpoints and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Help Center services enable your IT staff to outsource Call Center services to Progent or split activity for support services seamlessly between your internal network support resources and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a transparent supplement to your corporate network support group. User interaction with the Help Desk, delivery of support, issue escalation, trouble ticket generation and tracking, performance measurement, and management of the support database are consistent regardless of whether issues are resolved by your internal IT support group, by Progent, or both. Learn more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of any size a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. In addition to optimizing the protection and reliability of your IT network, Progent's patch management services free up time for your IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you sign into a secured application and give your password you are asked to confirm your identity on a unit that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized as this second form of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register multiple verification devices. To find out more about ProSight Duo identity validation services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of in-depth reporting utilities created to integrate with the industry's top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Barra da Tijuca 24/7/365 Crypto-Ransomware Remediation Consulting, contact Progent at 800-462-8800 or go to Contact Progent.