Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an existential danger for organizations unprepared for an assault. Different iterations of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict damage. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with additional as yet unnamed newcomers, not only encrypt on-line information but also infiltrate most available system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, this can make any restore operations impossible and effectively sets the datacenter back to square one.

Getting back online applications and data after a ransomware attack becomes a race against time as the victim struggles to contain, eradicate the virus, and restore mission-critical operations. Since ransomware needs time to spread, penetrations are usually sprung during nights and weekends, when attacks may take longer to uncover. This compounds the difficulty of rapidly marshalling and coordinating an experienced response team.

Progent makes available a range of services for securing businesses from crypto-ransomware attacks. Among these are user education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with artificial intelligence technology from SentinelOne to identify and disable new cyber threats quickly. Progent in addition offers the services of expert ransomware recovery consultants with the skills and commitment to restore a compromised network as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware invasion, paying the ransom demands in cryptocurrency does not ensure that distant criminals will return the keys to decrypt any or all of your information. Kaspersky estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The alternative is to re-install the key components of your IT environment. Absent the availability of complete information backups, this requires a broad complement of skills, well-coordinated team management, and the ability to work continuously until the job is finished.

For twenty years, Progent has offered certified expert IT services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise gives Progent the ability to rapidly ascertain necessary systems and organize the remaining components of your IT environment after a ransomware attack and rebuild them into a functioning system.

Progent's security team of experts has best of breed project management applications to coordinate the complicated recovery process. Progent knows the urgency of working quickly and together with a client's management and IT team members to prioritize tasks and to put critical applications back online as soon as possible.

Customer Case Study: A Successful Ransomware Virus Response
A customer escalated to Progent after their company was taken over by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored hackers, possibly adopting technology leaked from the United States National Security Agency. Ryuk seeks specific businesses with little or no tolerance for operational disruption and is one of the most profitable versions of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has about 500 employees. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's backups had been on-line at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end made the decision to use Progent.


"I cannot tell you enough in regards to the expertise Progent gave us throughout the most critical period of (our) company's life. We most likely would have paid the cyber criminals if not for the confidence the Progent group afforded us. The fact that you were able to get our messaging and key servers back online sooner than seven days was amazing. Each expert I worked with or texted at Progent was hell bent on getting us operational and was working non-stop to bail us out."

Progent worked together with the customer to quickly identify and prioritize the mission critical services that needed to be addressed to make it possible to continue business functions:

  • Windows Active Directory
  • Exchange Server
  • Financials/MRP
To get going, Progent adhered to ransomware event response industry best practices by halting the spread and cleaning systems of viruses. Progent then began the task of rebuilding Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the businesses' accounting and MRP system used Microsoft SQL Server, which needs Windows AD for authentication to the databases.

In less than two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then completed reinstallations and hard drive recovery of the most important applications. All Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was able to find intact OST files (Microsoft Outlook Off-Line Data Files) on user PCs and laptops to recover email messages. A not too old offline backup of the customer's accounting/ERP software made it possible to recover these vital programs back available to users. Although a lot of work remained to recover completely from the Ryuk damage, core services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer sales."

Throughout the next few weeks key milestones in the restoration process were made in tight cooperation between Progent engineers and the customer:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Exchange Server with over 4 million archived emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were completely recovered.
  • A new Palo Alto Networks 850 firewall was installed.
  • 90% of the user PCs were fully operational.

"A huge amount of what transpired during the initial response is mostly a fog for me, but my team will not soon forget the care all of you put in to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A possible business extinction disaster was evaded by top-tier experts, a wide range of technical expertise, and close collaboration. Although in hindsight the ransomware virus attack detailed here would have been stopped with advanced cyber security solutions and security best practices, user and IT administrator education, and appropriate security procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we got over the most critical parts. Everyone did an incredible effort, and if anyone is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Chicago a variety of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect new strains of ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your IT system running at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so that all potential issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven solution for monitoring and managing your network, server, and desktop devices by providing tools for performing common tedious jobs. These include health checking, patch management, automated repairs, endpoint configuration, backup and recovery, A/V protection, secure remote access, built-in and custom scripts, resource inventory, endpoint profile reporting, and troubleshooting support. If ProSight LAN Watch with NinjaOne RMM spots a serious incident, it transmits an alarm to your designated IT management staff and your Progent consultant so potential problems can be taken care of before they interfere with productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, enhance and debug their connectivity appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that need critical updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time reporting tools created to integrate with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services, a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and allow non-disruptive backup and fast recovery of vital files/folders, apps, system images, and VMs. ProSight DPS lets your business recover from data loss resulting from hardware breakdown, natural disasters, fire, malware such as ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured online account and enter your password you are asked to confirm who you are on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used for this added form of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. For details about ProSight Duo identity validation services, see Duo MFA two-factor authentication (2FA) services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Help Desk services enable your IT team to outsource Support Desk services to Progent or split activity for Service Desk support seamlessly between your in-house network support team and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your corporate IT support resources. End user access to the Help Desk, delivery of support services, escalation, ticket generation and tracking, efficiency metrics, and maintenance of the support database are consistent whether issues are resolved by your in-house support resources, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Desk services.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis tools to defend endpoints and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. Progent ASM services safeguard local and cloud resources and provides a single platform to automate the entire malware attack lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT network. In addition to maximizing the protection and reliability of your computer network, Progent's software/firmware update management services free up time for your IT team to concentrate on more strategic projects and tasks that derive the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to a different hosting solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to automate the complete malware attack progression including protection, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent's consultants can also assist your company to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
For 24-Hour Chicago Ransomware Repair Consulting, call Progent at 800-462-8800 or go to Contact Progent.