Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an existential threat for businesses of all sizes vulnerable to an assault. Multiple generations of crypto-ransomware such as CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause havoc. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with more unnamed newcomers, not only encrypt online files but also infiltrate most accessible system backups. Information synched to the cloud can also be ransomed. In a poorly designed environment, it can render any restoration hopeless and basically knocks the network back to square one.

Getting back on-line services and information following a ransomware outage becomes a race against time as the victim tries its best to contain, clear the ransomware, and resume business-critical operations. Since ransomware needs time to move laterally, attacks are usually sprung on weekends, when attacks may take longer to recognize. This compounds the difficulty of promptly assembling and coordinating a knowledgeable mitigation team.

Progent provides an assortment of services for securing businesses from ransomware penetrations. These include team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with AI capabilities from SentinelOne to discover and disable new cyber threats intelligently. Progent also provides the services of experienced crypto-ransomware recovery consultants with the skills and commitment to re-deploy a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the keys to decrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The alternative is to re-install the mission-critical elements of your IT environment. Absent access to essential system backups, this calls for a broad range of skill sets, top notch team management, and the ability to work continuously until the recovery project is finished.

For two decades, Progent has offered certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience affords Progent the ability to knowledgably ascertain necessary systems and consolidate the surviving components of your Information Technology environment after a crypto-ransomware penetration and configure them into an operational network.

Progent's ransomware team utilizes state-of-the-art project management tools to orchestrate the complex restoration process. Progent understands the urgency of working quickly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to put critical applications back on-line as fast as possible.

Client Case Study: A Successful Ransomware Attack Recovery
A small business engaged Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, suspected of adopting approaches exposed from America's National Security Agency. Ryuk targets specific organizations with little or no tolerance for disruption and is among the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago with around 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately reached out to Progent.


"I can't say enough in regards to the support Progent provided us during the most fearful time of (our) company's survival. We had little choice but to pay the cyber criminals except for the confidence the Progent group gave us. That you could get our e-mail system and important servers back on-line faster than seven days was something I thought impossible. Each expert I talked with or messaged at Progent was amazingly focused on getting my company operational and was working 24 by 7 to bail us out."

Progent worked with the client to quickly determine and prioritize the critical systems that had to be restored to make it possible to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To begin, Progent adhered to AV/Malware Processes penetration response best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the task of restoring Microsoft AD, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the client's MRP software leveraged Microsoft SQL, which depends on Active Directory services for access to the information.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then assisted with reinstallations and storage recovery on mission critical servers. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Offline Folder Files) on team PCs in order to recover mail information. A recent offline backup of the customer's accounting/ERP software made them able to restore these vital programs back servicing users. Although a large amount of work was left to recover totally from the Ryuk event, the most important systems were restored quickly:


"For the most part, the production line operation showed little impact and we produced all customer shipments."

During the next couple of weeks key milestones in the restoration project were accomplished through close collaboration between Progent engineers and the customer:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Server containing more than 4 million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were fully restored.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the user workstations were back into operation.

"So much of what was accomplished in the initial days is mostly a haze for me, but I will not forget the commitment each of you put in to give us our business back. I've been working together with Progent for the past ten years, maybe more, and every time Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A possible business-killing catastrophe was avoided due to hard-working professionals, a wide range of IT skills, and close teamwork. Although in hindsight the crypto-ransomware virus incident detailed here would have been identified and prevented with up-to-date security technology and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate incident response procedures for data backup and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thank you for making it so I could get some sleep after we made it past the initial push. Everyone did an incredible job, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Chicago a variety of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include next-generation artificial intelligence technology to uncover new variants of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to manage the complete threat lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also help you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your backup processes and allow non-disruptive backup and fast restoration of critical files, apps, system images, and virtual machines. ProSight DPS helps you avoid data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user error, malicious employees, or software bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to deliver centralized control and comprehensive security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding devices that require important updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so any potential problems can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Since the system is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can save up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior analysis technology to defend endpoints as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud resources and offers a unified platform to manage the entire malware attack lifecycle including blocking, identification, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Desk managed services permit your IT group to outsource Support Desk services to Progent or divide activity for support services transparently between your in-house support group and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent supplement to your internal support organization. User access to the Help Desk, delivery of support services, issue escalation, ticket generation and tracking, performance metrics, and maintenance of the service database are consistent whether issues are resolved by your in-house network support group, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving information system. In addition to optimizing the security and reliability of your IT environment, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business initiatives and activities that deliver maximum business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Android, and other personal devices. With 2FA, whenever you log into a secured online account and give your password you are asked to confirm who you are on a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used as this second means of authentication including an iPhone or Android or watch, a hardware token, a landline phone, etc. You can register several validation devices. For more information about ProSight Duo identity authentication services, go to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting plug-ins designed to work with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Chicago Crypto Removal Help, call Progent at 800-462-8800 or go to Contact Progent.