Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that presents an existential danger for organizations vulnerable to an attack. Versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and still cause harm. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus more unnamed malware, not only encrypt online data but also infect many available system backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can render any recovery useless and basically knocks the datacenter back to square one.

Recovering services and data after a ransomware outage becomes a sprint against time as the targeted business tries its best to contain the damage and clear the crypto-ransomware and to restore enterprise-critical activity. Because ransomware needs time to spread, penetrations are frequently sprung on weekends and holidays, when successful attacks may take longer to detect. This compounds the difficulty of promptly marshalling and orchestrating an experienced mitigation team.

Progent makes available an assortment of services for protecting enterprises from crypto-ransomware events. Among these are staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security gateways with machine learning technology from SentinelOne to discover and suppress day-zero cyber attacks automatically. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and commitment to rebuild a breached system as quickly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to decrypt any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the key components of your Information Technology environment. Without the availability of complete system backups, this calls for a broad complement of skill sets, professional project management, and the capability to work continuously until the task is done.

For twenty years, Progent has offered certified expert Information Technology services for businesses in Downers Grove and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience affords Progent the capability to efficiently determine necessary systems and integrate the remaining parts of your IT environment after a ransomware penetration and configure them into an operational network.

Progent's recovery team utilizes best of breed project management systems to orchestrate the sophisticated restoration process. Progent knows the importance of working quickly and in unison with a client's management and IT resources to prioritize tasks and to get essential applications back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A business engaged Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean government sponsored hackers, suspected of adopting algorithms exposed from America's National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is among the most lucrative instances of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk attack had brought down all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end engaged Progent.


"I can't tell you enough about the expertise Progent provided us during the most fearful time of (our) company's existence. We would have paid the cybercriminals if not for the confidence the Progent experts provided us. The fact that you could get our messaging and key applications back faster than a week was incredible. Each person I worked with or e-mailed at Progent was amazingly focused on getting us restored and was working non-stop on our behalf."

Progent worked hand in hand the client to rapidly understand and prioritize the key systems that had to be restored in order to resume departmental operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To start, Progent followed ransomware incident mitigation best practices by halting the spread and clearing infected systems. Progent then began the task of rebuilding Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without Windows AD, and the businesses' financials and MRP software utilized Microsoft SQL, which requires Active Directory services for authentication to the data.

In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery of critical servers. All Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Offline Folder Files) on user workstations and laptops in order to recover email data. A recent off-line backup of the client's accounting/ERP systems made it possible to return these vital applications back on-line. Although major work was left to recover totally from the Ryuk attack, the most important services were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer shipments."

During the next few weeks critical milestones in the restoration project were made in tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely recovered.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the user workstations were fully operational.

"So much of what happened during the initial response is mostly a blur for me, but I will not soon forget the commitment all of your team accomplished to give us our business back. I have trusted Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered. This situation was a stunning achievement."

Conclusion
A likely business-ending catastrophe was averted with hard-working experts, a broad spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware attack described here would have been identified and prevented with advanced cyber security systems and best practices, user and IT administrator training, and well thought out security procedures for data backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for making it so I could get some sleep after we got past the first week. Everyone did an incredible effort, and if anyone that helped is in the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Downers Grove a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover new strains of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to manage the entire threat progression including filtering, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering via leading-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology companies to produce ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your data backup operations and allow non-disruptive backup and rapid restoration of critical files, applications, images, plus virtual machines. ProSight DPS helps you avoid data loss caused by equipment failures, natural disasters, fire, cyber attacks such as ransomware, user error, malicious insiders, or application glitches. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to provide centralized management and world-class security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, optimize and debug their connectivity appliances such as routers, firewalls, and load balancers as well as servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding appliances that require important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to keep your network running efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so that any looming problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning tools to defend endpoint devices as well as servers and VMs against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to automate the entire threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Call Center services permit your IT team to offload Call Center services to Progent or divide responsibilities for Help Desk services transparently between your in-house support resources and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth extension of your core support group. User access to the Help Desk, delivery of support, problem escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the service database are consistent regardless of whether issues are taken care of by your in-house IT support staff, by Progent's team, or both. Learn more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a flexible and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. In addition to optimizing the security and functionality of your computer network, Progent's software/firmware update management services allow your in-house IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification with iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you log into a protected online account and enter your password you are asked to verify your identity on a unit that only you possess and that is accessed using a separate network channel. A wide range of out-of-band devices can be utilized as this second means of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You may register several verification devices. To find out more about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.
For Downers Grove 24x7 CryptoLocker Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.