Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that presents an enterprise-level threat for organizations vulnerable to an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus daily unnamed viruses, not only do encryption of online information but also infect all configured system protection. Data synchronized to the cloud can also be corrupted. In a poorly architected system, it can render automated restore operations useless and basically knocks the datacenter back to zero.

Getting back on-line programs and information following a crypto-ransomware attack becomes a race against the clock as the targeted business fights to stop lateral movement and remove the virus and to resume mission-critical operations. Because ransomware needs time to replicate, penetrations are often sprung on weekends and holidays, when successful penetrations in many cases take more time to identify. This compounds the difficulty of promptly marshalling and orchestrating a capable response team.

Progent has a variety of solutions for securing businesses from ransomware attacks. These include staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with artificial intelligence capabilities from SentinelOne to detect and quarantine new cyber attacks rapidly. Progent in addition offers the assistance of seasoned ransomware recovery professionals with the track record and commitment to reconstruct a breached system as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the codes to decrypt any or all of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to piece back together the critical elements of your Information Technology environment. Absent access to full data backups, this calls for a wide complement of skill sets, well-coordinated team management, and the capability to work continuously until the job is over.

For decades, Progent has made available professional Information Technology services for businesses in Skokie and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience gives Progent the capability to knowledgably identify important systems and organize the surviving components of your IT system after a crypto-ransomware event and assemble them into a functioning network.

Progent's security group utilizes top notch project management applications to orchestrate the complex restoration process. Progent understands the importance of working quickly and together with a customer�s management and IT staff to assign priority to tasks and to get essential systems back on line as fast as possible.

Business Case Study: A Successful Ransomware Incident Restoration
A client engaged Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, suspected of adopting algorithms leaked from America�s National Security Agency. Ryuk seeks specific organizations with limited ability to sustain operational disruption and is one of the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with around 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than $200,000) and praying for the best, but ultimately brought in Progent.


"I cannot tell you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the criminal gangs if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and production servers back into operation faster than five days was beyond my wildest dreams. Every single person I talked with or communicated with at Progent was totally committed on getting us back on-line and was working non-stop on our behalf."

Progent worked hand in hand the customer to rapidly get our arms around and prioritize the key services that needed to be restored to make it possible to restart company functions:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent followed Anti-virus incident response best practices by stopping the spread and performing virus removal steps. Progent then began the steps of rebuilding Windows Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the businesses� financials and MRP applications utilized Microsoft SQL Server, which depends on Active Directory for access to the databases.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery on key applications. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate local OST data files (Outlook Offline Folder Files) on user desktop computers and laptops in order to recover mail information. A not too old offline backup of the businesses accounting/MRP systems made it possible to recover these required applications back available to users. Although a lot of work was left to recover completely from the Ryuk damage, the most important services were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we produced all customer orders."

Over the following few weeks important milestones in the recovery process were achieved in close cooperation between Progent engineers and the client:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the desktop computers were being used by staff.

"A huge amount of what transpired in the initial days is mostly a haze for me, but we will not soon forget the countless hours each of your team accomplished to give us our company back. I�ve utilized Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This time was a Herculean accomplishment."

Conclusion
A likely enterprise-killing disaster was avoided through the efforts of dedicated professionals, a broad range of subject matter expertise, and tight collaboration. Although in hindsight the crypto-ransomware virus penetration described here should have been blocked with current security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out security procedures for information protection and proper patching controls, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get rested after we made it over the initial push. Everyone did an impressive effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Skokie a variety of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services utilize modern machine learning technology to uncover zero-day strains of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge tools packaged within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that helps you prove compliance with government and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent attention. Progent can also assist you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your backup processes and enable transparent backup and fast restoration of critical files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, user error, malicious insiders, or application bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to deliver web-based management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a further layer of inspection for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, optimize and debug their connectivity appliances like routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are discovered. By automating time-consuming management processes, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that need important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your network operating efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT management personnel and your Progent consultant so any potential issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis tools to guard endpoint devices and physical and virtual servers against new malware attacks like ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud resources and provides a single platform to automate the entire threat progression including protection, identification, mitigation, remediation, and forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Help Desk services enable your IT team to offload Help Desk services to Progent or divide activity for Service Desk support seamlessly between your internal support resources and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent extension of your core support resources. Client access to the Help Desk, provision of support services, problem escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the service database are cohesive regardless of whether issues are resolved by your core IT support organization, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable solution for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. Besides optimizing the protection and functionality of your computer network, Progent's patch management services allow your IT team to focus on line-of-business initiatives and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity verification on iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a protected application and give your password you are requested to confirm your identity on a unit that only you have and that is accessed using a separate network channel. A wide selection of devices can be utilized for this second form of ID validation including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may register multiple validation devices. For more information about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
For 24-Hour Skokie Ransomware Cleanup Support Services, contact Progent at 800-462-8800 or go to Contact Progent.