Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an attack. Different versions of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause harm. The latest versions of ransomware like Ryuk and Hermes, along with daily as yet unnamed newcomers, not only encrypt on-line critical data but also infect most accessible system backup. Data replicated to cloud environments can also be encrypted. In a poorly architected data protection solution, it can make automatic restore operations hopeless and basically knocks the entire system back to square one.

Retrieving applications and data after a ransomware attack becomes a race against the clock as the targeted organization fights to contain and clear the virus and to restore mission-critical operations. Because crypto-ransomware requires time to move laterally, penetrations are often sprung at night, when penetrations typically take more time to detect. This multiplies the difficulty of rapidly assembling and organizing a qualified response team.

Progent makes available a range of solutions for securing organizations from ransomware attacks. These include user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security solutions with artificial intelligence capabilities to rapidly identify and extinguish day-zero cyber threats. Progent also offers the assistance of experienced ransomware recovery engineers with the talent and perseverance to reconstruct a breached network as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware event, paying the ransom in cryptocurrency does not ensure that cyber criminals will respond with the needed codes to decipher all your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the mission-critical parts of your Information Technology environment. Without access to complete data backups, this calls for a wide range of skills, top notch project management, and the capability to work continuously until the recovery project is finished.

For decades, Progent has made available professional Information Technology services for businesses in Downers Grove and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably ascertain important systems and integrate the surviving parts of your computer network environment following a ransomware attack and configure them into an operational network.

Progent's security team of experts has powerful project management systems to orchestrate the complex restoration process. Progent appreciates the urgency of working quickly and in unison with a client's management and IT staff to prioritize tasks and to put the most important services back on line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Incident Restoration
A client contacted Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state sponsored cybercriminals, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with little tolerance for disruption and is one of the most profitable iterations of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been online at the time of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding $200K) and praying for good luck, but ultimately made the decision to use Progent.


"I canít say enough in regards to the expertise Progent gave us during the most fearful time of (our) businesses survival. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent group provided us. That you were able to get our e-mail and production applications back into operation sooner than 1 week was something I thought impossible. Each consultant I interacted with or e-mailed at Progent was urgently focused on getting our company operational and was working day and night on our behalf."

Progent worked hand in hand the client to quickly determine and prioritize the critical services that had to be recovered to make it possible to resume departmental functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent adhered to Anti-virus incident response best practices by stopping the spread and cleaning systems of viruses. Progent then began the steps of recovering Windows Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the businessesí accounting and MRP system utilized Microsoft SQL Server, which depends on Active Directory services for security authorization to the databases.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery of the most important applications. All Exchange ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Data Files) on team PCs to recover email messages. A not too old offline backup of the customerís financials/MRP software made them able to recover these required services back on-line. Although major work needed to be completed to recover fully from the Ryuk virus, critical services were restored quickly:


"For the most part, the manufacturing operation was never shut down and we produced all customer shipments."

Over the next month critical milestones in the restoration process were completed through close collaboration between Progent team members and the client:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Exchange Server exceeding 4 million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory Control modules were 100% operational.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the desktops and laptops were back into operation.

"So much of what went on that first week is mostly a haze for me, but my team will not forget the dedication each and every one of you put in to help get our company back. I have been working with Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible business extinction disaster was averted with top-tier experts, a wide array of subject matter expertise, and close collaboration. Although in hindsight the crypto-ransomware attack described here would have been identified and stopped with up-to-date cyber security solutions and best practices, staff training, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for letting me get rested after we made it through the initial fire. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Downers Grove a variety of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services incorporate modern machine learning capability to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-based AV tools. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to address the entire threat lifecycle including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent's consultants can also assist your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of critical files, apps and VMs that have become lost or corrupted due to component breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security companies to deliver centralized control and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of inspection for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, optimize and troubleshoot their networking appliances like routers, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating complex network management activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, finding devices that require important software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can eliminate up to half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7/365 Downers Grove CryptoLocker Repair Help, reach out to Progent at 800-993-9400 or go to Contact Progent.