Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that represents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus frequent unnamed malware, not only encrypt online data files but also infect most configured system restores and backups. Information replicated to the cloud can also be corrupted. In a poorly designed system, it can render any restoration impossible and effectively knocks the entire system back to square one.

Getting back services and data after a crypto-ransomware attack becomes a race against the clock as the targeted organization fights to contain and remove the crypto-ransomware and to restore enterprise-critical activity. Since ransomware takes time to spread, penetrations are usually launched at night, when successful attacks in many cases take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating an experienced response team.

Progent offers a range of solutions for securing organizations from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with AI technology from SentinelOne to detect and quarantine zero-day threats rapidly. Progent also can provide the assistance of experienced crypto-ransomware recovery consultants with the talent and commitment to rebuild a breached network as rapidly as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the codes to unencrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the key components of your IT environment. Without access to complete information backups, this requires a wide complement of skills, professional team management, and the ability to work 24x7 until the recovery project is complete.

For decades, Progent has made available expert IT services for companies in Downers Grove and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience provides Progent the capability to knowledgably determine important systems and organize the surviving pieces of your Information Technology system after a ransomware penetration and rebuild them into a functioning network.

Progent's recovery team of experts uses powerful project management applications to orchestrate the complicated restoration process. Progent knows the urgency of working swiftly and in concert with a customer's management and Information Technology staff to prioritize tasks and to get the most important services back on-line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A business escalated to Progent after their network was crashed by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored hackers, suspected of using algorithms exposed from America's National Security Agency. Ryuk seeks specific companies with limited room for operational disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has about 500 workers. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and hoping for the best, but ultimately engaged Progent.


"I can't say enough about the expertise Progent gave us throughout the most fearful period of (our) businesses life. We would have paid the hackers behind this attack if not for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and critical servers back online faster than a week was beyond my wildest dreams. Each consultant I interacted with or e-mailed at Progent was totally committed on getting us working again and was working breakneck pace on our behalf."

Progent worked together with the client to quickly understand and prioritize the key systems that had to be recovered in order to restart company operations:

  • Active Directory
  • E-Mail
  • MRP System
To start, Progent followed AV/Malware Processes penetration response industry best practices by isolating and cleaning up infected systems. Progent then began the process of bringing back online Microsoft AD, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's MRP applications used SQL Server, which requires Active Directory for authentication to the databases.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then helped perform setup and hard drive recovery on critical servers. All Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Off-Line Folder Files) on user workstations and laptops to recover mail information. A not too old offline backup of the client's manufacturing systems made them able to return these vital applications back on-line. Although major work remained to recover completely from the Ryuk attack, the most important services were returned to operations rapidly:


"For the most part, the production line operation never missed a beat and we did not miss any customer sales."

Throughout the following couple of weeks critical milestones in the recovery process were achieved through close cooperation between Progent team members and the client:

  • Internal web sites were restored with no loss of information.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user desktops and notebooks were back into operation.

"So much of what was accomplished that first week is mostly a haze for me, but our team will not forget the countless hours each of the team accomplished to help get our business back. I have been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was a testament to your capabilities."

Conclusion
A possible company-ending catastrophe was evaded with hard-working experts, a broad array of IT skills, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here could have been blocked with modern security technology and security best practices, team training, and properly executed security procedures for information backup and applying software patches, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we got over the initial fire. All of you did an fabulous effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Downers Grove a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-matching AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP environment that meets your organization's specific needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help you to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services, a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and track your backup processes and allow non-disruptive backup and fast recovery of critical files/folders, applications, system images, plus VMs. ProSight DPS helps your business avoid data loss caused by equipment failures, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or application glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of analysis for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map out, monitor, enhance and troubleshoot their networking appliances like routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious network management activities, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating appliances that require important updates, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT personnel and your Progent consultant so that all looming problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can save as much as 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior analysis tools to guard endpoints and servers and VMs against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to address the complete malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Call Center managed services allow your IT team to offload Support Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support group and Progent's nationwide pool of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent supplement to your core support team. Client access to the Service Desk, provision of support, problem escalation, trouble ticket creation and updates, efficiency metrics, and management of the support database are cohesive regardless of whether incidents are resolved by your internal support organization, by Progent's team, or both. Read more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT system. Besides maximizing the security and reliability of your computer environment, Progent's software/firmware update management services permit your in-house IT team to focus on more strategic projects and activities that deliver maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo supports one-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured online account and enter your password you are asked to confirm who you are via a unit that only you have and that uses a different ("out-of-band") network channel. A broad range of devices can be used as this added means of authentication including a smartphone or wearable, a hardware token, a landline telephone, etc. You can register multiple verification devices. For more information about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting plug-ins designed to integrate with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues like inconsistent support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Downers Grove 24-7 Ransomware Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.