Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware like the Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict destruction. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as frequent as yet unnamed viruses, not only encrypt online data files but also infect most configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can make automatic recovery impossible and effectively knocks the entire system back to square one.

Getting back on-line programs and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and cleanup the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware takes time to replicate, attacks are usually sprung during nights and weekends, when penetrations in many cases take longer to discover. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.

Progent has a variety of support services for protecting organizations from ransomware attacks. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning technology to rapidly detect and suppress day-zero threats. Progent in addition offers the services of seasoned ransomware recovery consultants with the skills and perseverance to restore a breached system as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt any or all of your information. Kaspersky estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the key elements of your IT environment. Absent access to complete information backups, this calls for a broad complement of skills, top notch project management, and the ability to work non-stop until the recovery project is over.

For twenty years, Progent has provided certified expert IT services for companies in Downers Grove and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the capability to quickly identify important systems and organize the remaining components of your computer network system following a crypto-ransomware event and rebuild them into an operational system.

Progent's security team of experts utilizes state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the importance of working swiftly and in unison with a customerís management and Information Technology team members to prioritize tasks and to put critical systems back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A client hired Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean government sponsored criminal gangs, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk goes after specific organizations with little ability to sustain disruption and is among the most lucrative incarnations of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for good luck, but ultimately engaged Progent.


"I cannot say enough in regards to the care Progent gave us during the most critical time of (our) businesses survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent experts gave us. That you were able to get our messaging and essential applications back faster than five days was earth shattering. Each staff member I worked with or communicated with at Progent was hell bent on getting our system up and was working day and night on our behalf."

Progent worked together with the client to quickly assess and assign priority to the mission critical elements that had to be restored to make it possible to continue company operations:

  • Active Directory
  • Email
  • Financials/MRP
To get going, Progent followed Anti-virus penetration response industry best practices by stopping the spread and clearing up compromised systems. Progent then initiated the steps of bringing back online Microsoft AD, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which depends on Windows AD for security authorization to the information.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then accomplished setup and hard drive recovery on needed systems. All Exchange ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Data Files) on various workstations in order to recover mail information. A recent offline backup of the client's financials/ERP systems made them able to restore these essential programs back online for users. Although a lot of work still had to be done to recover totally from the Ryuk damage, critical systems were restored quickly:


"For the most part, the assembly line operation did not miss a beat and we did not miss any customer shipments."

Over the following couple of weeks key milestones in the recovery process were accomplished in close collaboration between Progent engineers and the client:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Exchange Server containing more than 4 million historical emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the desktops and laptops were functioning as before the incident.

"A huge amount of what happened those first few days is nearly entirely a fog for me, but we will not soon forget the care all of you put in to give us our company back. I have been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was a stunning achievement."

Conclusion
A probable business-ending catastrophe was evaded through the efforts of hard-working professionals, a wide array of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus attack described here should have been identified and blocked with advanced cyber security systems and ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for information backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for making it so I could get rested after we got over the most critical parts. All of you did an incredible job, and if anyone is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Downers Grove a range of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to detect zero-day strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you demonstrate compliance with government and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of vital files, applications and virtual machines that have become lost or corrupted due to component failures, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to provide web-based management and comprehensive security for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway device adds a deeper level of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, track, optimize and troubleshoot their connectivity appliances like switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your Progent consultant so that any looming problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Downers Grove 24x7 Ransomware Repair Support Services, call Progent at 800-993-9400 or go to Contact Progent.