Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an extinction-level threat for organizations unprepared for an attack. Different iterations of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still cause havoc. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as daily unnamed malware, not only do encryption of online files but also infiltrate all accessible system protection mechanisms. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly designed system, this can make any recovery impossible and effectively sets the network back to zero.

Recovering services and information following a crypto-ransomware event becomes a sprint against the clock as the victim tries its best to contain the damage and eradicate the ransomware and to restore enterprise-critical activity. Since ransomware needs time to spread, assaults are often launched at night, when penetrations may take more time to notice. This multiplies the difficulty of quickly marshalling and organizing a knowledgeable response team.

Progent makes available a variety of services for securing organizations from crypto-ransomware penetrations. Among these are team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with AI technology from SentinelOne to identify and disable zero-day cyber threats intelligently. Progent also provides the assistance of veteran ransomware recovery engineers with the track record and commitment to reconstruct a compromised network as urgently as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the needed keys to decrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the key elements of your Information Technology environment. Without access to full system backups, this requires a broad range of skill sets, professional team management, and the willingness to work 24x7 until the recovery project is done.

For two decades, Progent has offered professional Information Technology services for businesses in St. Louis and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of experience gives Progent the skills to efficiently determine critical systems and re-organize the remaining pieces of your IT system after a ransomware attack and configure them into an operational system.

Progent's security team of experts uses best of breed project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of working swiftly and in unison with a client's management and Information Technology team members to prioritize tasks and to get the most important applications back on-line as soon as humanly possible.

Customer Story: A Successful Ransomware Virus Restoration
A small business engaged Progent after their network was brought down by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, possibly using approaches leaked from America's National Security Agency. Ryuk targets specific companies with little room for disruption and is among the most profitable instances of crypto-ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area with around 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot speak enough in regards to the support Progent gave us throughout the most fearful time of (our) company's life. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent experts provided us. That you could get our e-mail system and production servers back online faster than 1 week was incredible. Every single staff member I talked with or texted at Progent was laser focused on getting us operational and was working 24 by 7 on our behalf."

Progent worked with the client to quickly determine and prioritize the essential applications that had to be restored in order to restart business operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • Financials/MRP
To begin, Progent adhered to Anti-virus penetration mitigation best practices by halting the spread and disinfecting systems. Progent then started the steps of recovering Windows Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without AD, and the businesses' MRP software used Microsoft SQL Server, which depends on Windows AD for authentication to the database.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then helped perform setup and storage recovery on essential systems. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff PCs in order to recover mail information. A not too old offline backup of the businesses accounting/MRP systems made them able to return these required services back available to users. Although major work still had to be done to recover completely from the Ryuk damage, essential services were recovered rapidly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."

Over the next few weeks critical milestones in the restoration process were made through close cooperation between Progent consultants and the customer:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the desktop computers were operational.

"So much of what happened in the early hours is nearly entirely a haze for me, but our team will not forget the countless hours all of you accomplished to give us our business back. I have been working together with Progent for the past ten years, maybe more, and each time Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A potential enterprise-killing catastrophe was avoided with dedicated professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in post mortem the crypto-ransomware virus attack detailed here could have been stopped with advanced cyber security solutions and security best practices, user training, and well designed incident response procedures for data protection and proper patching controls, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we made it past the first week. Everyone did an amazing effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in St. Louis a range of remote monitoring and security assessment services designed to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence technology to detect new strains of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to address the complete threat lifecycle including blocking, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you prove compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent can also help your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup technology companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and enable transparent backup and rapid restoration of important files, applications, images, and virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to provide web-based control and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of inspection for incoming email. For outbound email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and sends notices when issues are discovered. By automating tedious network management activities, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so any potential problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSL certificates or warranties. By updating and managing your network documentation, you can eliminate up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior analysis tools to defend endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to address the entire malware attack progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Help Desk managed services permit your information technology staff to offload Support Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your internal network support group and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a transparent extension of your corporate IT support resources. End user access to the Service Desk, delivery of technical assistance, problem escalation, ticket creation and updates, efficiency metrics, and management of the support database are consistent whether incidents are resolved by your core support staff, by Progent, or by a combination. Read more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your computer network, Progent's patch management services free up time for your in-house IT staff to concentrate on line-of-business projects and tasks that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a protected application and give your password you are requested to verify your identity via a unit that only you have and that is accessed using a separate network channel. A broad range of devices can be used for this added form of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. To learn more about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services for access security.
For 24x7x365 St. Louis CryptoLocker Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.