Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes unprepared for an attack. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with daily unnamed viruses, not only encrypt online data files but also infect any configured system restores and backups. Data replicated to cloud environments can also be corrupted. In a poorly designed data protection solution, it can make automated restoration hopeless and basically sets the datacenter back to square one.

Restoring services and information following a ransomware attack becomes a sprint against time as the targeted business tries its best to stop the spread and eradicate the virus and to restore business-critical activity. Because ransomware requires time to replicate, attacks are often launched during weekends and nights, when penetrations typically take longer to discover. This multiplies the difficulty of quickly marshalling and organizing a capable mitigation team.

Progent offers a range of help services for protecting organizations from ransomware attacks. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security appliances with AI technology from SentinelOne to discover and quarantine zero-day cyber threats intelligently. Progent in addition can provide the assistance of seasoned ransomware recovery engineers with the track record and commitment to reconstruct a compromised network as rapidly as possible.

Progent's Ransomware Restoration Services
Following a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed codes to unencrypt all your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the vital components of your IT environment. Without access to essential data backups, this calls for a wide range of IT skills, top notch team management, and the capability to work 24x7 until the recovery project is completed.

For two decades, Progent has provided professional Information Technology services for businesses in Chicago and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise affords Progent the skills to efficiently ascertain critical systems and re-organize the surviving parts of your computer network system after a ransomware penetration and rebuild them into a functioning network.

Progent's recovery team has best of breed project management systems to coordinate the complex restoration process. Progent appreciates the urgency of working quickly and in concert with a client's management and IT staff to prioritize tasks and to get essential systems back online as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Recovery
A client engaged Progent after their company was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean government sponsored hackers, suspected of adopting strategies leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little room for operational disruption and is among the most lucrative iterations of crypto-ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area with around 500 staff members. The Ryuk attack had shut down all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot thank you enough in regards to the expertise Progent provided us during the most fearful period of (our) businesses life. We most likely would have paid the cybercriminals except for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and production servers back online quicker than seven days was incredible. Every single expert I got help from or texted at Progent was urgently focused on getting my company operational and was working day and night on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the essential services that had to be recovered to make it possible to restart company operations:

  • Windows Active Directory
  • Electronic Messaging
  • Financials/MRP
To begin, Progent adhered to ransomware event mitigation industry best practices by isolating and removing active viruses. Progent then started the work of rebuilding Microsoft Active Directory, the core of enterprise systems built on Microsoft technology. Exchange email will not operate without Active Directory, and the businesses' MRP software used Microsoft SQL Server, which depends on Active Directory for access to the database.

In less than two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then charged ahead with reinstallations and storage recovery on mission critical applications. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find intact OST files (Microsoft Outlook Offline Data Files) on staff workstations to recover mail information. A recent offline backup of the customer's manufacturing systems made it possible to restore these essential services back on-line. Although a lot of work still had to be done to recover totally from the Ryuk virus, critical systems were recovered rapidly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer orders."

Throughout the next few weeks critical milestones in the restoration project were achieved through tight collaboration between Progent team members and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Exchange Server exceeding 4 million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the desktop computers were fully operational.

"So much of what occurred those first few days is nearly entirely a fog for me, but my team will not forget the dedication each and every one of you put in to help get our company back. I have been working together with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A possible business-ending catastrophe was avoided through the efforts of dedicated professionals, a wide array of IT skills, and close collaboration. Although in hindsight the ransomware virus incident described here could have been disabled with modern cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for making it so I could get some sleep after we made it over the first week. All of you did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Chicago a range of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day strains of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to manage the entire malware attack lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and allow non-disruptive backup and fast recovery of important files, applications, system images, and virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, user error, malicious employees, or application glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver web-based management and world-class protection for your inbound and outbound email. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further level of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, finding devices that need important updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so all potential problems can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior machine learning tools to guard endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to address the complete malware attack progression including protection, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Call Center managed services enable your IT staff to offload Help Desk services to Progent or split activity for support services seamlessly between your in-house support group and Progent's extensive pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless supplement to your in-house IT support organization. Client access to the Help Desk, delivery of technical assistance, issue escalation, trouble ticket creation and updates, performance metrics, and management of the service database are consistent regardless of whether incidents are taken care of by your core network support resources, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the security and reliability of your computer network, Progent's patch management services free up time for your IT team to focus on more strategic initiatives and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured application and give your password you are asked to confirm your identity on a device that only you have and that is accessed using a different network channel. A broad range of devices can be used as this added means of authentication such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. To find out more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time and in-depth management reporting tools created to integrate with the industry's leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Chicago Ransomware Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.