Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and still cause harm. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus daily as yet unnamed viruses, not only do encryption of online data files but also infect any accessible system protection. Files replicated to cloud environments can also be encrypted. In a poorly architected environment, this can render automated recovery impossible and basically knocks the datacenter back to zero.

Getting back online applications and information following a crypto-ransomware event becomes a race against time as the victim fights to contain and cleanup the ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to spread, attacks are frequently launched at night, when attacks typically take longer to uncover. This multiplies the difficulty of promptly marshalling and orchestrating an experienced response team.

Progent offers a variety of support services for protecting organizations from ransomware penetrations. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with AI technology to quickly identify and extinguish day-zero cyber attacks. Progent also can provide the services of expert crypto-ransomware recovery engineers with the talent and commitment to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the codes to decipher any of your information. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the essential elements of your Information Technology environment. Absent the availability of full data backups, this calls for a wide complement of skills, top notch team management, and the ability to work non-stop until the job is completed.

For two decades, Progent has provided expert Information Technology services for businesses in Chicago and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify necessary systems and organize the remaining components of your Information Technology environment following a ransomware penetration and rebuild them into an operational system.

Progent's security group deploys powerful project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put key applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Incident Recovery
A business escalated to Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, possibly adopting approaches leaked from the United States NSA organization. Ryuk targets specific businesses with little or no tolerance for disruption and is among the most lucrative iterations of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area with about 500 workers. The Ryuk attack had frozen all business operations and manufacturing processes. The majority of the client's data backups had been online at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and hoping for good luck, but ultimately called Progent.


"I cannot tell you enough in regards to the care Progent gave us throughout the most stressful time of (our) companyís life. We most likely would have paid the cybercriminals except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and critical servers back quicker than a week was amazing. Each person I talked with or communicated with at Progent was hell bent on getting us operational and was working at all hours to bail us out."

Progent worked with the client to quickly identify and prioritize the critical services that needed to be recovered in order to resume departmental functions:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To start, Progent followed AV/Malware Processes event mitigation industry best practices by isolating and cleaning up infected systems. Progent then initiated the process of bringing back online Active Directory, the foundation of enterprise networks built upon Microsoft technology. Exchange messaging will not function without Windows AD, and the businessesí accounting and MRP applications used Microsoft SQL Server, which depends on Active Directory for access to the information.

In less than two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery of mission critical servers. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Offline Data Files) on various PCs and laptops in order to recover mail information. A recent off-line backup of the client's financials/MRP software made them able to return these essential services back servicing users. Although major work remained to recover fully from the Ryuk attack, the most important services were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer deliverables."

Over the following few weeks key milestones in the recovery process were achieved in close collaboration between Progent consultants and the client:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Server with over four million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the user desktops were back into operation.

"Much of what happened during the initial response is nearly entirely a fog for me, but my management will not soon forget the care each and every one of the team accomplished to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A probable business extinction catastrophe was avoided with hard-working professionals, a wide array of technical expertise, and close collaboration. Although in post mortem the ransomware virus penetration detailed here should have been identified and stopped with up-to-date security solutions and best practices, staff training, and appropriate security procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, removal, and file disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for allowing me to get some sleep after we got past the most critical parts. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Chicago a portfolio of online monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services include modern machine learning capability to uncover zero-day strains of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the entire malware attack progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that meets your organization's specific requirements and that allows you prove compliance with legal and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your backup operations and allow non-disruptive backup and rapid restoration of important files, applications, system images, plus virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or software bugs. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security companies to deliver web-based management and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of analysis for incoming email. For outgoing email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, enhance and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating devices that require critical software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system running at peak levels by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT management staff and your Progent consultant so that any potential problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can save up to half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to guard endpoint devices as well as servers and VMs against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-based AV tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Help Desk managed services enable your information technology group to outsource Support Desk services to Progent or split activity for support services transparently between your internal network support staff and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SBEs). Progent's Co-managed Help Desk Service offers a transparent supplement to your corporate network support team. User access to the Help Desk, provision of technical assistance, problem escalation, ticket generation and updates, efficiency metrics, and management of the support database are cohesive whether issues are resolved by your in-house IT support group, by Progent, or both. Learn more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and affordable solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. Besides optimizing the security and reliability of your computer network, Progent's software/firmware update management services permit your in-house IT staff to focus on line-of-business initiatives and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity verification on iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a secured application and enter your password you are asked to verify your identity via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be used for this added means of authentication including a smartphone or wearable, a hardware token, a landline phone, etc. You may register several verification devices. To learn more about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
For 24/7/365 Chicago Crypto Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.