Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses vulnerable to an assault. Multiple generations of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause damage. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as more unnamed newcomers, not only do encryption of online data but also infect most configured system restores and backups. Information synched to the cloud can also be rendered useless. In a poorly designed environment, it can make automatic restoration useless and basically sets the entire system back to zero.

Getting back services and data after a crypto-ransomware attack becomes a sprint against the clock as the targeted organization fights to stop lateral movement and eradicate the virus and to restore mission-critical activity. Due to the fact that ransomware takes time to replicate, penetrations are often launched at night, when attacks may take longer to discover. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified mitigation team.

Progent makes available an assortment of services for protecting enterprises from ransomware attacks. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with machine learning technology from SentinelOne to detect and suppress zero-day cyber attacks quickly. Progent in addition offers the assistance of veteran crypto-ransomware recovery consultants with the talent and commitment to reconstruct a compromised environment as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to setup from scratch the critical elements of your IT environment. Absent the availability of full data backups, this requires a wide complement of IT skills, well-coordinated team management, and the ability to work continuously until the task is completed.

For decades, Progent has provided professional Information Technology services for companies in Milwaukee and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to efficiently understand critical systems and consolidate the surviving parts of your computer network environment after a crypto-ransomware event and configure them into a functioning network.

Progent's ransomware team of experts has top notch project management tools to orchestrate the sophisticated recovery process. Progent understands the importance of acting rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put the most important systems back online as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Incident Restoration
A customer engaged Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, suspected of using technology exposed from America�s NSA organization. Ryuk attacks specific organizations with limited tolerance for operational disruption and is one of the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area with around 500 workers. The Ryuk event had frozen all company operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and hoping for the best, but in the end utilized Progent.


"I cannot thank you enough in regards to the care Progent gave us throughout the most fearful time of (our) businesses survival. We may have had to pay the cyber criminals if not for the confidence the Progent group provided us. The fact that you could get our e-mail system and key applications back online in less than a week was earth shattering. Every single expert I got help from or texted at Progent was laser focused on getting us working again and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly assess and assign priority to the mission critical areas that needed to be recovered to make it possible to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the process of bringing back online Windows Active Directory, the key technology of enterprise systems built upon Microsoft technology. Exchange messaging will not operate without Windows AD, and the businesses� accounting and MRP applications used Microsoft SQL, which needs Windows AD for authentication to the data.

Within two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery of the most important systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Data Files) on user workstations and laptops in order to recover email information. A not too old off-line backup of the businesses accounting/ERP software made it possible to restore these vital applications back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk virus, essential systems were restored rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer orders."

During the next few weeks critical milestones in the restoration project were completed in tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Server with over four million historical emails was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory modules were 100% operational.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the user workstations were back into operation.

"A huge amount of what happened during the initial response is nearly entirely a fog for me, but our team will not soon forget the dedication each and every one of the team accomplished to help get our company back. I�ve trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This situation was a Herculean accomplishment."

Conclusion
A likely enterprise-killing catastrophe was avoided through the efforts of hard-working professionals, a broad range of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus attack detailed here would have been prevented with modern cyber security solutions and security best practices, staff education, and well thought out security procedures for backup and applying software patches, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for making it so I could get rested after we made it through the initial fire. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Milwaukee a variety of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services utilize modern AI capability to detect zero-day strains of crypto-ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape traditional signature-matching AV products. ProSight ASM protects on-premises and cloud resources and provides a single platform to manage the entire threat progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and enable non-disruptive backup and fast restoration of important files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to provide web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper layer of inspection for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and debug their connectivity appliances such as switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating complex management activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent engineering consultant so that any potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can save up to half of time spent looking for vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis technology to defend endpoints and physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to manage the entire malware attack progression including protection, detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Support Center services enable your IT team to offload Call Center services to Progent or divide responsibilities for Service Desk support seamlessly between your internal support group and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a transparent supplement to your corporate IT support staff. End user access to the Help Desk, delivery of technical assistance, issue escalation, ticket generation and updates, performance measurement, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your corporate network support resources, by Progent, or both. Read more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services permit your in-house IT staff to concentrate on line-of-business initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a secured application and give your password you are requested to verify your identity via a unit that only you possess and that is accessed using a separate network channel. A wide range of devices can be utilized as this added means of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate multiple validation devices. To learn more about ProSight Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.
For 24-7 Milwaukee Crypto-Ransomware Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.