Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for organizations unprepared for an attack. Versions of ransomware like the Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict harm. The latest variants of crypto-ransomware such as Ryuk and Hermes, plus more as yet unnamed viruses, not only do encryption of online information but also infect most available system protection. Files synchronized to the cloud can also be encrypted. In a vulnerable data protection solution, it can make automatic restoration hopeless and basically sets the network back to zero.

Recovering services and data following a ransomware event becomes a race against the clock as the targeted organization struggles to stop the spread and clear the ransomware and to restore enterprise-critical activity. Since crypto-ransomware requires time to spread, penetrations are frequently launched on weekends, when attacks typically take longer to recognize. This compounds the difficulty of promptly mobilizing and organizing a qualified response team.

Progent offers an assortment of solutions for protecting organizations from crypto-ransomware penetrations. These include staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security solutions with machine learning technology to automatically discover and extinguish new cyber attacks. Progent also can provide the assistance of expert ransomware recovery professionals with the talent and commitment to rebuild a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the keys to decrypt any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the essential parts of your Information Technology environment. Absent the availability of full system backups, this calls for a wide range of skills, top notch team management, and the capability to work non-stop until the task is completed.

For two decades, Progent has offered professional IT services for companies in Skokie and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently identify necessary systems and re-organize the surviving components of your Information Technology environment following a ransomware event and rebuild them into an operational network.

Progent's ransomware team uses best of breed project management applications to orchestrate the complex recovery process. Progent understands the urgency of acting quickly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to put key systems back online as soon as humanly possible.

Customer Story: A Successful Ransomware Intrusion Restoration
A small business hired Progent after their network system was taken over by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored criminal gangs, possibly using techniques leaked from Americaís National Security Agency. Ryuk targets specific companies with little room for disruption and is among the most lucrative incarnations of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area with around 500 employees. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were damaged. The client considered paying the ransom demand (more than $200K) and hoping for the best, but ultimately reached out to Progent.


"I cannot thank you enough about the help Progent provided us during the most stressful period of (our) companyís survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and essential applications back into operation faster than 1 week was incredible. Every single expert I worked with or messaged at Progent was amazingly focused on getting my company operational and was working non-stop to bail us out."

Progent worked together with the customer to rapidly get our arms around and prioritize the critical systems that needed to be recovered in order to continue business operations:

  • Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus event response best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the task of bringing back online Microsoft AD, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the customerís accounting and MRP applications utilized SQL Server, which depends on Windows AD for authentication to the database.

In less than two days, Progent was able to restore Active Directory to its pre-attack state. Progent then initiated reinstallations and storage recovery of the most important servers. All Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Data Files) on user PCs and laptops to recover mail information. A not too old offline backup of the customerís financials/MRP software made them able to recover these essential programs back online. Although a lot of work remained to recover fully from the Ryuk damage, critical services were restored rapidly:


"For the most part, the manufacturing operation survived unscathed and we delivered all customer sales."

During the next few weeks important milestones in the recovery project were made in tight cooperation between Progent consultants and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% recovered.
  • A new Palo Alto 850 firewall was deployed.
  • Most of the desktop computers were operational.

"A huge amount of what occurred those first few days is nearly entirely a blur for me, but our team will not soon forget the care each of your team put in to give us our business back. I have utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."

Conclusion
A probable company-ending disaster was avoided by results-oriented experts, a wide array of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware incident detailed here could have been identified and stopped with advanced security technology and recognized best practices, user and IT administrator training, and well designed security procedures for data backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get rested after we got through the initial fire. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Skokie a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services include next-generation AI capability to detect new strains of crypto-ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the complete threat lifecycle including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that meets your company's unique requirements and that allows you prove compliance with government and industry data security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also assist you to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable and fully managed solution for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid restoration of vital files, apps and virtual machines that have become lost or damaged due to hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, when needed, can help you to recover your critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to provide centralized management and comprehensive protection for all your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and keeps most threats from reaching your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, monitor, optimize and debug their connectivity hardware such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding appliances that require critical software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT staff and your Progent consultant so that any potential issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Skokie Ransomware Remediation Help, contact Progent at 800-993-9400 or go to Contact Progent.