Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for organizations poorly prepared for an assault. Different versions of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and continue to inflict destruction. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with more unnamed malware, not only do encryption of on-line information but also infect any accessible system backups. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can make automatic restoration useless and basically knocks the datacenter back to square one.

Retrieving programs and information following a ransomware outage becomes a sprint against the clock as the victim tries its best to stop the spread and remove the ransomware and to restore business-critical operations. Due to the fact that ransomware takes time to spread, attacks are usually sprung during weekends and nights, when penetrations may take longer to recognize. This multiplies the difficulty of promptly mobilizing and organizing an experienced mitigation team.

Progent offers a variety of support services for protecting enterprises from ransomware penetrations. Among these are team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with machine learning technology to automatically identify and extinguish zero-day cyber attacks. Progent also provides the assistance of veteran crypto-ransomware recovery consultants with the skills and commitment to reconstruct a breached environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Services
Following a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed codes to decrypt any of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to setup from scratch the critical parts of your IT environment. Without the availability of full information backups, this requires a broad complement of skills, well-coordinated project management, and the capability to work continuously until the task is complete.

For twenty years, Progent has made available certified expert IT services for companies in Downers Grove and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience gives Progent the capability to efficiently understand important systems and integrate the surviving parts of your network environment following a ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts uses state-of-the-art project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of acting swiftly and together with a customerís management and IT team members to prioritize tasks and to get key services back on line as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Attack Response
A customer contacted Progent after their company was brought down by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean government sponsored hackers, suspected of adopting strategies exposed from Americaís National Security Agency. Ryuk targets specific companies with little or no room for operational disruption and is among the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 workers. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's backups had been online at the start of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and hoping for good luck, but ultimately made the decision to use Progent.


"I cannot tell you enough in regards to the expertise Progent provided us during the most critical time of (our) companyís existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent group gave us. The fact that you could get our e-mail system and key servers back online quicker than seven days was incredible. Every single consultant I spoke to or texted at Progent was absolutely committed on getting us restored and was working at all hours on our behalf."

Progent worked with the customer to quickly assess and assign priority to the critical systems that needed to be addressed in order to continue business operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent followed Anti-virus penetration response best practices by isolating and clearing up compromised systems. Progent then started the steps of restoring Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís MRP system leveraged Microsoft SQL, which requires Active Directory for access to the information.

Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then helped perform setup and hard drive recovery of the most important servers. All Exchange ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to find intact OST files (Outlook Email Offline Folder Files) on staff workstations in order to recover email data. A not too old offline backup of the businesses accounting software made it possible to recover these vital services back on-line. Although a large amount of work was left to recover fully from the Ryuk virus, critical services were restored quickly:


"For the most part, the production operation showed little impact and we delivered all customer deliverables."

During the next month important milestones in the recovery project were made in close cooperation between Progent team members and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% functional.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Ninety percent of the desktops and laptops were operational.

"So much of what transpired that first week is nearly entirely a fog for me, but we will not forget the countless hours each of your team put in to help get our company back. Iíve trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible business-ending disaster was avoided with dedicated experts, a wide range of IT skills, and tight collaboration. Although in hindsight the ransomware virus incident described here should have been identified and stopped with up-to-date security technology solutions and recognized best practices, staff training, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thank you for making it so I could get some sleep after we made it over the first week. All of you did an impressive job, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Downers Grove a range of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning capability to detect new variants of crypto-ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you prove compliance with government and industry information security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also assist your company to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup software providers to create ProSight Data Protection Services (DPS), a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and enable transparent backup and fast restoration of vital files/folders, applications, images, and VMs. ProSight DPS lets your business recover from data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services available in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based management and world-class security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further level of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, track, optimize and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and sends notices when issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common chores like network mapping, expanding your network, finding devices that need important software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that any looming problems can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved easily to a different hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning technology to guard endpoint devices and servers and VMs against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a unified platform to automate the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Support Center services allow your IT staff to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your internal network support resources and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth extension of your core support resources. Client access to the Service Desk, provision of technical assistance, issue escalation, ticket creation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether incidents are resolved by your core IT support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and affordable solution for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your in-house IT team to focus on more strategic initiatives and activities that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation with iOS, Android, and other personal devices. Using 2FA, when you sign into a secured application and enter your password you are asked to verify your identity via a device that only you have and that is accessed using a separate network channel. A wide selection of out-of-band devices can be used as this added form of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can designate several validation devices. To find out more about ProSight Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services.
For 24/7/365 Downers Grove Ransomware Cleanup Consultants, contact Progent at 800-462-8800 or go to Contact Progent.