Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that presents an existential danger for businesses of all sizes poorly prepared for an assault. Multiple generations of crypto-ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent unnamed malware, not only encrypt online files but also infect most accessible system protection mechanisms. Information synched to the cloud can also be rendered useless. In a vulnerable system, it can render any recovery useless and basically sets the network back to zero.

Recovering programs and information after a crypto-ransomware intrusion becomes a sprint against time as the victim struggles to stop lateral movement and cleanup the crypto-ransomware and to resume enterprise-critical activity. Since crypto-ransomware needs time to move laterally, attacks are frequently launched at night, when attacks are likely to take more time to identify. This compounds the difficulty of quickly mobilizing and organizing a capable mitigation team.

Progent offers an assortment of solutions for securing businesses from crypto-ransomware penetrations. Among these are team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security solutions with AI technology from SentinelOne to identify and suppress day-zero cyber attacks quickly. Progent in addition can provide the services of veteran ransomware recovery professionals with the track record and commitment to reconstruct a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
After a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed codes to decrypt all your information. Kaspersky determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the mission-critical elements of your Information Technology environment. Without the availability of full system backups, this requires a broad range of skills, well-coordinated team management, and the ability to work 24x7 until the task is over.

For two decades, Progent has provided certified expert Information Technology services for businesses in Milwaukee and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience provides Progent the capability to knowledgably determine important systems and consolidate the surviving parts of your Information Technology environment after a ransomware attack and assemble them into a functioning system.

Progent's ransomware team utilizes top notch project management applications to orchestrate the complex recovery process. Progent knows the urgency of working rapidly and in concert with a client's management and IT staff to assign priority to tasks and to get essential systems back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A customer engaged Progent after their organization was taken over by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored criminal gangs, suspected of adopting algorithms exposed from America's NSA organization. Ryuk seeks specific organizations with limited tolerance for operational disruption and is among the most lucrative instances of ransomware malware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area and has around 500 staff members. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.


"I cannot tell you enough about the help Progent provided us during the most fearful time of (our) company's life. We would have paid the cybercriminals if it wasn't for the confidence the Progent experts afforded us. That you were able to get our e-mail system and key servers back online faster than 1 week was earth shattering. Every single expert I spoke to or texted at Progent was totally committed on getting us operational and was working day and night to bail us out."

Progent worked together with the customer to quickly get our arms around and assign priority to the essential applications that needed to be addressed to make it possible to continue business operations:

  • Microsoft Active Directory
  • E-Mail
  • MRP System
To begin, Progent adhered to AV/Malware Processes penetration response best practices by isolating and clearing up compromised systems. Progent then initiated the steps of recovering Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the businesses' MRP applications used Microsoft SQL, which needs Active Directory services for security authorization to the data.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery of mission critical systems. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Email Offline Folder Files) on user desktop computers in order to recover email data. A not too old offline backup of the businesses accounting/MRP systems made it possible to restore these vital services back servicing users. Although a large amount of work remained to recover fully from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer orders."

Throughout the following month important milestones in the restoration project were accomplished in tight cooperation between Progent team members and the client:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were completely operational.
  • A new Palo Alto Networks 850 firewall was brought online.
  • 90% of the desktop computers were being used by staff.

"So much of what happened in the initial days is mostly a fog for me, but I will not soon forget the commitment each of you put in to help get our business back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable enterprise-killing disaster was dodged due to results-oriented experts, a wide range of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware virus incident described here would have been identified and blocked with advanced cyber security technology solutions and NIST Cybersecurity Framework best practices, staff training, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for letting me get rested after we made it over the initial push. All of you did an fabulous job, and if anyone is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Milwaukee a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include next-generation machine learning technology to uncover new strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to manage the entire malware attack progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your organization's unique needs and that allows you demonstrate compliance with government and industry data security standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also help you to set up and test a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and enable non-disruptive backup and fast restoration of critical files, apps, system images, and virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or software bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to deliver centralized management and world-class protection for all your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, track, optimize and troubleshoot their networking appliances such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating complex management activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding devices that require important updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network operating efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT staff and your Progent consultant so any looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to defend endpoints as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to manage the complete malware attack progression including blocking, detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Desk: Help Desk Managed Services
    Progent's Call Desk managed services enable your information technology team to outsource Help Desk services to Progent or divide activity for support services seamlessly between your in-house network support resources and Progent's nationwide roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth supplement to your core IT support group. User access to the Service Desk, provision of support, issue escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are cohesive regardless of whether issues are resolved by your corporate support group, by Progent, or both. Find out more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting updates to your dynamic IT network. Besides maximizing the protection and functionality of your computer environment, Progent's software/firmware update management services free up time for your in-house IT staff to concentrate on more strategic projects and tasks that deliver maximum business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo supports one-tap identity confirmation on iOS, Android, and other personal devices. Using 2FA, whenever you sign into a protected application and give your password you are asked to verify your identity on a unit that only you have and that uses a separate network channel. A broad selection of out-of-band devices can be used for this second form of authentication such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For more information about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time and in-depth management reporting tools designed to integrate with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Milwaukee Crypto Recovery Consulting, contact Progent at 800-462-8800 or go to Contact Progent.