Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that poses an existential threat for businesses of all sizes vulnerable to an assault. Versions of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict harm. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, plus more as yet unnamed malware, not only do encryption of on-line information but also infect any configured system restores and backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed system, this can make automatic recovery useless and effectively sets the network back to zero.

Getting back online applications and information after a ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to stop the spread and cleanup the crypto-ransomware and to resume business-critical activity. Since ransomware takes time to spread, assaults are frequently launched during nights and weekends, when successful penetrations tend to take longer to recognize. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.

Progent provides a range of support services for securing businesses from ransomware attacks. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with machine learning capabilities to rapidly detect and quarantine day-zero threats. Progent in addition can provide the assistance of expert ransomware recovery professionals with the talent and commitment to restore a compromised network as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decrypt any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the mission-critical elements of your Information Technology environment. Absent the availability of full information backups, this requires a broad complement of skill sets, well-coordinated project management, and the ability to work non-stop until the recovery project is finished.

For twenty years, Progent has provided certified expert IT services for businesses in Chicago and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently identify necessary systems and organize the surviving pieces of your network system after a ransomware event and rebuild them into an operational system.

Progent's security group deploys powerful project management applications to orchestrate the complicated recovery process. Progent knows the urgency of working quickly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to put key services back online as fast as possible.

Client Case Study: A Successful Ransomware Incident Response
A small business contacted Progent after their organization was taken over by Ryuk ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly adopting approaches exposed from the United States National Security Agency. Ryuk targets specific businesses with little room for operational disruption and is among the most lucrative iterations of ransomware malware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk intrusion had disabled all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200K) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot speak enough in regards to the support Progent provided us throughout the most critical time of (our) companyís survival. We most likely would have paid the Hackers except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail and production servers back in less than 1 week was something I thought impossible. Every single person I got help from or texted at Progent was amazingly focused on getting our system up and was working all day and night on our behalf."

Progent worked hand in hand the client to rapidly identify and assign priority to the critical systems that needed to be recovered to make it possible to restart business functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes event mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then started the process of bringing back online Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not work without AD, and the businessesí accounting and MRP system utilized SQL Server, which requires Windows AD for security authorization to the information.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery on mission critical applications. All Exchange schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Email Off-Line Data Files) on team PCs to recover email data. A recent off-line backup of the client's manufacturing software made it possible to return these essential services back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, essential systems were recovered quickly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer sales."

During the next month critical milestones in the restoration process were achieved in close collaboration between Progent consultants and the customer:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Server containing more than four million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% operational.
  • A new Palo Alto 850 firewall was installed and configured.
  • Ninety percent of the user PCs were fully operational.

"A lot of what went on that first week is mostly a blur for me, but our team will not forget the commitment all of your team put in to help get our business back. I have entrusted Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A possible business extinction catastrophe was evaded with dedicated professionals, a wide range of knowledge, and tight teamwork. Although in retrospect the ransomware incident described here would have been stopped with current cyber security systems and ISO/IEC 27001 best practices, user training, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for making it so I could get some sleep after we made it over the first week. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Chicago a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning technology to uncover zero-day variants of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to automate the complete threat progression including filtering, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent accessible from a single control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also help your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital data, apps and VMs that have become unavailable or damaged as a result of hardware breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery consultants can deliver advanced support to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to provide centralized control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, optimize and debug their networking hardware like routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that require critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your network operating at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so that any potential problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24-7 Chicago Crypto-Ransomware Repair Help, contact Progent at 800-993-9400 or go to Contact Progent.