Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that presents an enterprise-level danger for businesses vulnerable to an attack. Different versions of crypto-ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict damage. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent as yet unnamed malware, not only encrypt online data files but also infiltrate most available system backup. Data replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable system, it can make any restore operations hopeless and basically sets the network back to zero.

Retrieving applications and data after a ransomware event becomes a race against time as the targeted organization fights to contain the damage and clear the ransomware and to resume mission-critical operations. Because ransomware takes time to move laterally, assaults are usually launched at night, when attacks may take more time to uncover. This multiplies the difficulty of promptly assembling and orchestrating a qualified response team.

Progent provides a range of solutions for securing organizations from crypto-ransomware penetrations. These include staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security solutions with AI technology from SentinelOne to detect and quarantine new cyber threats automatically. Progent also offers the services of experienced ransomware recovery professionals with the talent and perseverance to rebuild a compromised system as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to decrypt all your information. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the critical components of your IT environment. Without the availability of full information backups, this requires a broad range of IT skills, professional project management, and the capability to work non-stop until the task is over.

For twenty years, Progent has offered expert Information Technology services for businesses in Downers Grove and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise provides Progent the skills to rapidly determine important systems and organize the remaining pieces of your IT environment after a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's security group deploys state-of-the-art project management tools to coordinate the sophisticated recovery process. Progent knows the importance of working swiftly and in concert with a client's management and Information Technology team members to prioritize tasks and to get critical applications back on-line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Virus Restoration
A business sought out Progent after their organization was taken over by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored cybercriminals, suspected of using techniques exposed from America�s NSA organization. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is one of the most profitable examples of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with around 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing processes. Most of the client's system backups had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.


"I can�t tell you enough in regards to the care Progent gave us throughout the most critical period of (our) company�s existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group afforded us. The fact that you were able to get our messaging and essential applications back into operation sooner than one week was beyond my wildest dreams. Each person I talked with or e-mailed at Progent was hell bent on getting us back online and was working non-stop on our behalf."

Progent worked hand in hand the client to rapidly assess and assign priority to the mission critical elements that had to be restored to make it possible to resume company functions:

  • Active Directory (AD)
  • Email
  • MRP System
To begin, Progent followed ransomware incident response industry best practices by isolating and cleaning up infected systems. Progent then began the work of bringing back online Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the businesses� MRP system leveraged SQL Server, which needs Windows AD for security authorization to the data.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then initiated rebuilding and storage recovery on the most important systems. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find local OST files (Outlook Email Offline Data Files) on user desktop computers to recover email information. A recent off-line backup of the customer�s accounting/ERP software made it possible to restore these vital services back online. Although a lot of work needed to be completed to recover fully from the Ryuk attack, critical systems were returned to operations quickly:


"For the most part, the production manufacturing operation survived unscathed and we did not miss any customer sales."

Throughout the following month key milestones in the recovery process were accomplished through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server with over four million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100% operational.
  • A new Palo Alto Networks 850 firewall was installed.
  • 90% of the user desktops and notebooks were operational.

"Much of what transpired in the initial days is mostly a blur for me, but my team will not forget the countless hours all of the team put in to give us our business back. I�ve utilized Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A possible business extinction disaster was avoided with hard-working experts, a broad array of IT skills, and close teamwork. Although in post mortem the crypto-ransomware attack described here should have been prevented with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, staff training, and well designed incident response procedures for data backup and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for letting me get rested after we got past the initial fire. All of you did an incredible job, and if anyone is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Downers Grove a variety of online monitoring and security assessment services to help you to reduce the threat from ransomware. These services incorporate next-generation AI technology to detect new strains of crypto-ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the entire threat progression including blocking, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup software providers to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and enable non-disruptive backup and fast restoration of important files, apps, images, plus VMs. ProSight DPS helps you recover from data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide web-based control and world-class protection for all your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and keeps most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their connectivity hardware like switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting activities, WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, finding appliances that need critical software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your assigned Progent consultant so any potential problems can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to guard endpoints as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. Progent ASM services safeguard local and cloud resources and provides a unified platform to automate the complete malware attack progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Support Desk services allow your IT staff to outsource Call Center services to Progent or split activity for Service Desk support transparently between your internal network support resources and Progent's nationwide pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless extension of your corporate support organization. User interaction with the Service Desk, provision of support services, problem escalation, ticket creation and tracking, performance metrics, and maintenance of the support database are cohesive whether issues are taken care of by your corporate network support group, by Progent's team, or both. Read more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and affordable solution for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving IT network. Besides maximizing the protection and reliability of your IT environment, Progent's patch management services free up time for your in-house IT team to concentrate on line-of-business projects and tasks that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Android, and other personal devices. Using 2FA, when you log into a protected application and enter your password you are requested to confirm your identity via a device that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be utilized as this added means of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. For more information about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.
For Downers Grove 24/7/365 CryptoLocker Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.