Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that poses an extinction-level threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and still cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional as yet unnamed malware, not only encrypt online critical data but also infect all configured system restores and backups. Data synched to cloud environments can also be encrypted. In a vulnerable system, it can render automated restoration impossible and effectively sets the entire system back to zero.

Retrieving applications and information after a crypto-ransomware outage becomes a race against the clock as the victim tries its best to stop the spread and remove the ransomware and to resume mission-critical operations. Due to the fact that ransomware needs time to spread, assaults are often sprung at night, when successful penetrations may take more time to identify. This compounds the difficulty of quickly assembling and coordinating an experienced mitigation team.

Progent has a variety of services for protecting organizations from ransomware events. These include staff education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with AI capabilities from SentinelOne to identify and suppress zero-day cyber attacks quickly. Progent also can provide the services of experienced ransomware recovery consultants with the skills and perseverance to rebuild a breached environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will return the keys to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the vital parts of your IT environment. Absent access to full system backups, this calls for a wide complement of skill sets, professional project management, and the ability to work continuously until the job is done.

For two decades, Progent has provided professional IT services for businesses in Chicago and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise gives Progent the skills to quickly ascertain important systems and integrate the surviving pieces of your Information Technology system following a ransomware event and rebuild them into an operational system.

Progent's recovery team deploys powerful project management systems to coordinate the complex restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get critical services back on-line as fast as possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their network system was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored cybercriminals, suspected of adopting algorithms exposed from America�s NSA organization. Ryuk goes after specific organizations with limited ability to sustain disruption and is one of the most lucrative instances of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has about 500 workers. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's data backups had been on-line at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I can�t thank you enough about the help Progent provided us throughout the most fearful time of (our) businesses life. We may have had to pay the cybercriminals except for the confidence the Progent group gave us. The fact that you were able to get our messaging and production servers back online sooner than a week was beyond my wildest dreams. Each person I spoke to or e-mailed at Progent was urgently focused on getting us restored and was working day and night on our behalf."

Progent worked hand in hand the client to rapidly determine and assign priority to the key services that needed to be addressed in order to resume company operations:

  • Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent adhered to Anti-virus event response industry best practices by stopping the spread and clearing up compromised systems. Progent then initiated the steps of restoring Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the customer�s financials and MRP applications leveraged Microsoft SQL, which depends on Windows AD for access to the database.

In less than 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and storage recovery of the most important servers. All Microsoft Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Off-Line Data Files) on staff workstations in order to recover email data. A recent off-line backup of the customer�s accounting/ERP systems made it possible to return these vital programs back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, the most important services were returned to operations rapidly:


"For the most part, the production line operation was never shut down and we delivered all customer deliverables."

Over the following few weeks key milestones in the recovery project were made through close cooperation between Progent consultants and the client:

  • Internal web sites were restored with no loss of information.
  • The MailStore Exchange Server with over 4 million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were 100% operational.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Most of the user PCs were back into operation.

"So much of what happened during the initial response is mostly a blur for me, but our team will not soon forget the dedication each of your team accomplished to give us our business back. I have utilized Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was a stunning achievement."

Conclusion
A potential business catastrophe was dodged with dedicated professionals, a broad spectrum of knowledge, and tight collaboration. Although upon completion of forensics the ransomware attack detailed here would have been identified and disabled with modern cyber security solutions and NIST Cybersecurity Framework best practices, user training, and well designed security procedures for information protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for letting me get some sleep after we made it through the initial push. All of you did an incredible effort, and if anyone is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Chicago a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize modern machine learning capability to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to address the entire threat progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP environment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup technology companies to create ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and track your backup operations and allow transparent backup and fast recovery of important files, applications, system images, plus VMs. ProSight DPS lets you avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to deliver centralized control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, track, reconfigure and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding appliances that require important software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your network operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT staff and your Progent consultant so that any looming issues can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youre making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning technology to guard endpoints and servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud resources and offers a single platform to automate the entire threat progression including protection, identification, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Call Desk managed services permit your information technology group to offload Support Desk services to Progent or divide activity for support services seamlessly between your in-house network support group and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your in-house network support resources. User interaction with the Help Desk, delivery of support, issue escalation, trouble ticket generation and tracking, performance measurement, and maintenance of the service database are consistent whether issues are taken care of by your core IT support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of all sizes a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. In addition to maximizing the protection and functionality of your computer network, Progent's patch management services allow your IT team to concentrate on more strategic initiatives and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation on iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a secured online account and enter your password you are requested to confirm who you are via a device that only you have and that is accessed using a different network channel. A wide range of out-of-band devices can be utilized as this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. To find out more about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services for access security.
For Chicago 24/7/365 Crypto Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.