Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that presents an extinction-level threat for organizations unprepared for an assault. Multiple generations of crypto-ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict damage. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as daily as yet unnamed malware, not only encrypt online information but also infiltrate all configured system restores and backups. Files replicated to the cloud can also be rendered useless. In a vulnerable system, it can make automated restoration hopeless and basically sets the datacenter back to zero.

Restoring programs and data after a ransomware attack becomes a race against time as the targeted business tries its best to contain and remove the virus and to restore business-critical activity. Since ransomware requires time to move laterally, penetrations are frequently launched on weekends and holidays, when attacks are likely to take longer to identify. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable mitigation team.

Progent offers a variety of help services for protecting enterprises from crypto-ransomware attacks. Among these are team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with artificial intelligence technology to intelligently identify and disable new threats. Progent also can provide the assistance of expert ransomware recovery engineers with the talent and perseverance to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware event, paying the ransom in cryptocurrency does not ensure that cyber hackers will respond with the needed codes to decipher any or all of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the mission-critical parts of your IT environment. Without access to complete system backups, this requires a wide range of skills, well-coordinated project management, and the willingness to work non-stop until the job is over.

For twenty years, Progent has provided professional Information Technology services for companies in Downers Grove and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise provides Progent the ability to quickly ascertain necessary systems and consolidate the remaining components of your Information Technology system following a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts uses state-of-the-art project management tools to coordinate the complicated recovery process. Progent understands the urgency of acting rapidly and in unison with a customerís management and Information Technology resources to prioritize tasks and to get critical applications back on-line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Recovery
A business contacted Progent after their organization was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean state hackers, suspected of using technology exposed from the United States National Security Agency. Ryuk targets specific organizations with limited room for operational disruption and is one of the most profitable examples of ransomware viruses. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with around 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the attack and were destroyed. The client considered paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.


"I cannot say enough about the help Progent gave us throughout the most fearful time of (our) businesses survival. We would have paid the criminal gangs if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and critical servers back into operation quicker than a week was beyond my wildest dreams. Each expert I worked with or messaged at Progent was amazingly focused on getting us working again and was working day and night on our behalf."

Progent worked together with the customer to quickly determine and prioritize the essential systems that had to be restored in order to continue business functions:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To start, Progent followed Anti-virus event response industry best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the steps of restoring Microsoft AD, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange email will not operate without Windows AD, and the customerís MRP system used Microsoft SQL Server, which requires Windows AD for access to the data.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery on essential systems. All Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST files (Outlook Email Offline Data Files) on staff workstations to recover email messages. A not too old off-line backup of the businesses financials/MRP software made them able to restore these essential applications back online. Although a lot of work was left to recover completely from the Ryuk event, the most important services were restored rapidly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer sales."

During the next couple of weeks critical milestones in the recovery process were achieved through close collaboration between Progent team members and the client:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoicing/AP/AR/Inventory capabilities were fully recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the user workstations were back into operation.

"A huge amount of what transpired that first week is nearly entirely a fog for me, but our team will not soon forget the dedication all of you accomplished to give us our company back. Iíve trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A possible business-ending catastrophe was averted by results-oriented experts, a broad range of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware attack described here should have been identified and prevented with up-to-date security technology solutions and security best practices, user training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get rested after we made it past the initial fire. Everyone did an amazing job, and if any of your team is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Downers Grove a variety of online monitoring and security assessment services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to detect new strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to automate the complete threat lifecycle including filtering, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and allows rapid recovery of critical files, applications and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can deliver world-class expertise to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever needed, can help you to restore your business-critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security companies to deliver centralized control and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further level of inspection for incoming email. For outbound email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, optimize and debug their connectivity appliances such as switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and sends alerts when issues are detected. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that need important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system operating efficiently by checking the state of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT management staff and your assigned Progent consultant so any looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24-Hour Downers Grove Crypto Cleanup Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.