Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that represents an existential threat for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus daily as yet unnamed viruses, not only do encryption of on-line files but also infiltrate many configured system backups. Data replicated to the cloud can also be corrupted. In a poorly designed data protection solution, it can make automatic restore operations useless and basically sets the datacenter back to square one.

Restoring services and data following a ransomware event becomes a sprint against time as the targeted business tries its best to contain and cleanup the ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are usually launched during weekends and nights, when attacks are likely to take longer to uncover. This multiplies the difficulty of rapidly marshalling and organizing an experienced mitigation team.

Progent provides a range of services for securing organizations from ransomware events. Among these are staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with artificial intelligence capabilities to automatically detect and quarantine day-zero threats. Progent also offers the assistance of veteran crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a breached system as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will return the keys to unencrypt any of your files. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the vital elements of your Information Technology environment. Without the availability of complete system backups, this calls for a wide range of skill sets, top notch team management, and the ability to work non-stop until the task is over.

For twenty years, Progent has made available certified expert Information Technology services for companies in Milwaukee and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience affords Progent the skills to rapidly ascertain important systems and organize the remaining parts of your computer network environment after a ransomware event and rebuild them into an operational system.

Progent's recovery group utilizes state-of-the-art project management applications to orchestrate the complicated restoration process. Progent appreciates the importance of working swiftly and in unison with a customerís management and Information Technology team members to prioritize tasks and to put key applications back on line as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Recovery
A customer contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk goes after specific companies with little tolerance for operational disruption and is among the most lucrative instances of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's system backups had been online at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (more than $200,000) and praying for good luck, but ultimately engaged Progent.


"I cannot say enough in regards to the help Progent provided us during the most stressful period of (our) companyís life. We would have paid the cyber criminals if it wasnít for the confidence the Progent experts gave us. That you were able to get our e-mail and production servers back on-line faster than one week was amazing. Every single expert I got help from or messaged at Progent was hell bent on getting us back on-line and was working 24/7 to bail us out."

Progent worked hand in hand the client to quickly assess and assign priority to the mission critical services that had to be restored to make it possible to continue company operations:

  • Microsoft Active Directory
  • Email
  • MRP System
To start, Progent adhered to ransomware incident mitigation best practices by halting the spread and clearing infected systems. Progent then initiated the task of bringing back online Microsoft AD, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Windows AD, and the client's MRP applications used Microsoft SQL Server, which needs Active Directory services for security authorization to the data.

In less than two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then performed setup and hard drive recovery on essential systems. All Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to find local OST files (Outlook Off-Line Data Files) on staff workstations and laptops to recover email messages. A not too old off-line backup of the client's accounting/ERP systems made them able to recover these required programs back available to users. Although a lot of work was left to recover totally from the Ryuk damage, the most important systems were restored rapidly:


"For the most part, the production operation did not miss a beat and we did not miss any customer shipments."

Throughout the next couple of weeks important milestones in the recovery project were made in tight cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the user desktops were fully operational.

"So much of what was accomplished in the initial days is nearly entirely a blur for me, but my team will not soon forget the dedication each of the team accomplished to help get our business back. I have been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A probable business-ending catastrophe was evaded with dedicated experts, a wide range of IT skills, and tight teamwork. Although in post mortem the ransomware virus penetration described here should have been blocked with current cyber security systems and recognized best practices, user education, and well designed security procedures for information protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we got over the initial push. Everyone did an incredible effort, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Milwaukee a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern machine learning technology to uncover zero-day variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you prove compliance with government and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate attention. Progent's consultants can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of management offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your backup operations and enable non-disruptive backup and rapid restoration of vital files, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, user error, ill-intentioned employees, or software glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide centralized control and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and debug their networking hardware like switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management personnel and your assigned Progent engineering consultant so that any looming problems can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard endpoint devices as well as servers and VMs against new malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV products. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to address the entire threat progression including protection, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Call Desk services enable your information technology group to outsource Support Desk services to Progent or divide responsibilities for support services transparently between your in-house support staff and Progent's nationwide roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent extension of your internal support resources. End user access to the Help Desk, provision of support, problem escalation, trouble ticket creation and tracking, performance metrics, and maintenance of the support database are consistent regardless of whether issues are taken care of by your internal network support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and affordable solution for assessing, validating, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. Besides maximizing the security and functionality of your computer network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business projects and tasks that derive maximum business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Android, and other personal devices. Using 2FA, whenever you sign into a protected application and enter your password you are requested to verify who you are on a device that only you possess and that is accessed using a separate network channel. A broad range of out-of-band devices can be utilized for this added means of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. To find out more about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services.
For Milwaukee 24-7 Crypto Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.