Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and still inflict destruction. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with frequent unnamed malware, not only do encryption of on-line critical data but also infiltrate any accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can make automated recovery impossible and basically sets the network back to square one.

Restoring programs and information after a ransomware outage becomes a sprint against time as the targeted organization struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Because ransomware takes time to move laterally, attacks are frequently launched during nights and weekends, when successful penetrations may take longer to recognize. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent provides an assortment of help services for protecting enterprises from ransomware attacks. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with AI capabilities from SentinelOne to detect and suppress zero-day cyber threats rapidly. Progent also can provide the assistance of experienced crypto-ransomware recovery engineers with the talent and commitment to rebuild a breached environment as urgently as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the needed codes to decrypt any of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the vital elements of your IT environment. Without the availability of full information backups, this requires a broad complement of skills, well-coordinated project management, and the willingness to work non-stop until the task is over.

For decades, Progent has offered certified expert IT services for businesses in Skokie and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of expertise provides Progent the skills to efficiently identify important systems and organize the surviving pieces of your computer network environment after a ransomware event and rebuild them into a functioning system.

Progent's ransomware team of experts uses top notch project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of acting quickly and in unison with a customer's management and IT resources to prioritize tasks and to put the most important services back online as fast as possible.

Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer contacted Progent after their company was crashed by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, suspected of using approaches leaked from the United States NSA organization. Ryuk seeks specific companies with little tolerance for disruption and is among the most profitable examples of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I cannot speak enough about the help Progent gave us during the most fearful period of (our) businesses existence. We would have paid the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our messaging and essential applications back on-line quicker than five days was earth shattering. Each expert I got help from or messaged at Progent was laser focused on getting our system up and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly get our arms around and prioritize the most important elements that needed to be recovered to make it possible to continue company operations:

  • Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware penetration response industry best practices by isolating and cleaning up infected systems. Progent then initiated the task of restoring Windows Active Directory, the foundation of enterprise networks built on Microsoft technology. Exchange email will not operate without AD, and the customer's accounting and MRP applications utilized SQL Server, which depends on Active Directory for security authorization to the data.

Within two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then initiated setup and hard drive recovery of critical applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops to recover mail messages. A recent off-line backup of the customer's financials/ERP systems made it possible to return these essential services back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk virus, critical systems were returned to operations quickly:


"For the most part, the manufacturing operation never missed a beat and we delivered all customer deliverables."

Over the following couple of weeks critical milestones in the recovery project were made in close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Most of the user PCs were operational.

"A lot of what occurred those first few days is nearly entirely a blur for me, but my management will not soon forget the commitment all of the team put in to give us our company back. I've trusted Progent for at least 10 years, maybe more, and every time Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A likely enterprise-killing disaster was avoided with results-oriented professionals, a wide spectrum of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here could have been prevented with up-to-date cyber security technology and best practices, staff education, and appropriate security procedures for information backup and applying software patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), I'm grateful for allowing me to get rested after we made it through the initial push. Everyone did an amazing job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Skokie a variety of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include modern AI capability to uncover zero-day variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to manage the complete threat progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's specific needs and that allows you prove compliance with government and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology companies to produce ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and enable non-disruptive backup and rapid restoration of vital files, applications, system images, plus virtual machines. ProSight DPS helps you avoid data loss resulting from equipment failures, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or application bugs. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to provide centralized control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of analysis for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, optimize and debug their networking appliances like routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, locating appliances that need critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management staff and your Progent engineering consultant so all looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based machine learning technology to defend endpoints and physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect local and cloud resources and offers a unified platform to automate the complete malware attack progression including blocking, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Call Center managed services enable your information technology group to outsource Help Desk services to Progent or divide responsibilities for Help Desk services transparently between your in-house support team and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent supplement to your core support organization. End user access to the Help Desk, provision of support services, problem escalation, ticket generation and tracking, performance metrics, and maintenance of the support database are consistent regardless of whether incidents are resolved by your in-house network support staff, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information network. In addition to maximizing the security and reliability of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on line-of-business projects and activities that derive the highest business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation on iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and give your password you are asked to verify who you are via a unit that only you have and that uses a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized as this added means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register several validation devices. To find out more about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time reporting tools created to integrate with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Skokie Crypto-Ransomware Removal Consultants, call Progent at 800-462-8800 or go to Contact Progent.