24-7 Chicago Critical Crypto-Ransomware
Infection Assessment and Recovery Consulting

Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyberplague that presents an existential danger for businesses poorly prepared for an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more as yet unnamed viruses, not only encrypt online data files but also infect any available system restores and backups. Data replicated to off-site disaster recovery sites can also be held hostage. In a poorly architected environment, it can make automated restore operations useless and effectively sets the datacenter back to zero.

Restoring programs and data following a ransomware attack becomes a race against the clock as the targeted business tries its best to stop the spread, remove the ransomware, and restore mission-critical activity. Because ransomware requires time to replicate, attacks are frequently launched at night, when penetrations in many cases take more time to discover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.

Progent provides a variety of solutions for securing organizations from ransomware events. Among these are team member training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to detect and quarantine day-zero threats quickly. Progent in addition provides the services of veteran crypto-ransomware recovery engineers with the talent and commitment to reconstruct a breached system as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware invasion, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to unencrypt all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can reach millions of dollars. The fallback is to re-install the critical elements of your IT environment. Absent access to complete system backups, this requires a wide complement of skill sets, top notch team management, and the capability to work 24x7 until the task is completed.

For two decades, Progent has offered professional IT services for businesses throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise provides Progent the capability to rapidly ascertain important systems and organize the remaining pieces of your network system following a crypto-ransomware attack and assemble them into a functioning system.

Progent's ransomware team of experts deploys state-of-the-art project management systems to coordinate the complicated restoration process. Progent understands the importance of working swiftly and in concert with a client's management and IT staff to prioritize tasks and to put critical applications back on line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A client sought out Progent after their organization was attacked by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, suspected of using algorithms exposed from America's NSA organization. Ryuk seeks specific businesses with little room for operational disruption and is one of the most lucrative versions of crypto-ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's information backups had been online at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (more than $200,000) and praying for the best, but ultimately engaged Progent.

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the mission critical areas that had to be restored to make it possible to continue business operations:

• Active Directory (AD)
• Microsoft Exchange
• Financials/MRP

Within two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then accomplished rebuilding and hard drive recovery of needed applications. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Offline Data Files) on team desktop computers and laptops to recover email information. A recent off-line backup of the customer's financials/MRP software made it possible to return these vital applications back available to users. Although significant work still had to be done to recover completely from the Ryuk event, core services were restored rapidly:

Throughout the next few weeks critical milestones in the recovery process were achieved through close cooperation between Progent team members and the client:

• Internal web sites were restored without losing any data.
• The MailStore Microsoft Exchange Server containing more than 4 million archived messages was restored to operations and available for users.
• CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory functions were completely recovered.
• A new Palo Alto 850 firewall was brought on-line.
• Nearly all of the user PCs were operational.

Conclusion
A probable enterprise-killing disaster was dodged through the efforts of top-tier professionals, a broad range of knowledge, and close collaboration. Although in post mortem the ransomware virus incident detailed here could have been identified and disabled with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus defense, mitigation, and file disaster recovery.

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Chicago a range of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate next-generation AI technology to detect zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.

• ProSight LAN Watch: Server and Desktop Monitoring and Management
  ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT personnel and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

• ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Desktops
  ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-based platform for managing your network, server, and desktop devices by offering an environment for streamlining common tedious jobs. These include health monitoring, patch management, automated remediation, endpoint setup, backup and restore, A/V protection, remote access, built-in and custom scripts, resource inventory, endpoint status reporting, and troubleshooting assistance. When ProSight LAN Watch with NinjaOne RMM uncovers a serious issue, it transmits an alert to your specified IT management personnel and your assigned Progent technical consultant so that potential problems can be taken care of before they impact your network. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.

• ProSight WAN Watch: Network Infrastructure Management
  ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, monitor, reconfigure and debug their connectivity hardware such as routers, firewalls, and access points plus servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network maps are kept current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and sends notices when issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating appliances that need critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

• ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
  ProSight Reporting is a growing suite of in-depth management reporting plug-ins designed to integrate with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.

• ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
  Progent has partnered with leading backup technology companies to create ProSight Data Protection Services (DPS), a family of management offerings that provide backup-as-a-service. ProSight DPS services automate and track your data backup processes and allow non-disruptive backup and fast recovery of critical files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by hardware failures, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed services are best suited for your network.

• ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
  ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to deliver centralized management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of inspection for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

• ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
  Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo enables one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a protected online account and give your password you are requested to verify who you are on a unit that only you possess and that uses a different ("out-of-band") network channel. A wide selection of devices can be utilized as this added means of ID validation including a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. To find out more about ProSight Duo identity validation services, visit Duo MFA two-factor authentication services.

• Outsourced/Co-managed Help Center: Support Desk Managed Services
  Progent's Support Desk services permit your information technology staff to offload Support Desk services to Progent or divide responsibilities for support services seamlessly between your internal support resources and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless extension of your in-house network support organization. End user access to the Help Desk, delivery of support services, escalation, ticket generation and tracking, performance metrics, and maintenance of the service database are cohesive whether incidents are taken care of by your corporate support staff, by Progent's team, or both. Learn more about Progent's outsourced/shared Call Center services.

• Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
  Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based analysis tools to defend endpoints and physical and virtual servers against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-matching AV tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to manage the complete malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

• ProSight IT Asset Management: Network Documentation Management
  ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate up to 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

• Patch Management: Software/Firmware Update Management Services
  Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking updates to your dynamic information network. In addition to optimizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your IT team to concentrate on more strategic projects and activities that derive the highest business value from your network. Find out more about Progent's software/firmware update management support services.

• ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
  With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

• ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
  ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

• ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
  Progent's ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you demonstrate compliance with legal and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also help you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.