Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that poses an existential danger for organizations unprepared for an attack. Multiple generations of ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict damage. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as more as yet unnamed viruses, not only encrypt online information but also infiltrate any configured system backups. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, it can make any restoration hopeless and effectively knocks the datacenter back to zero.

Restoring applications and data following a crypto-ransomware intrusion becomes a race against time as the targeted business tries its best to contain the damage and eradicate the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware requires time to replicate, attacks are frequently launched during nights and weekends, when attacks may take longer to identify. This multiplies the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent offers an assortment of support services for securing organizations from ransomware attacks. Among these are user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with machine learning capabilities from SentinelOne to detect and disable day-zero cyber threats quickly. Progent also can provide the assistance of experienced ransomware recovery professionals with the skills and commitment to reconstruct a breached environment as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to decipher any of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Absent the availability of complete information backups, this calls for a wide complement of skills, well-coordinated team management, and the capability to work 24x7 until the task is done.

For two decades, Progent has made available professional IT services for companies in Skokie and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise affords Progent the skills to knowledgably determine important systems and integrate the surviving components of your IT environment after a ransomware penetration and assemble them into a functioning system.

Progent's recovery team deploys powerful project management applications to coordinate the complex recovery process. Progent knows the importance of acting rapidly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to get critical systems back on-line as fast as possible.

Client Story: A Successful Crypto-Ransomware Penetration Recovery
A client hired Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting techniques exposed from America's National Security Agency. Ryuk goes after specific organizations with little or no tolerance for disruption and is one of the most profitable instances of crypto-ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has about 500 workers. The Ryuk attack had disabled all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the attack and were encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately brought in Progent.


"I can't thank you enough in regards to the expertise Progent provided us throughout the most stressful period of (our) company's life. We most likely would have paid the Hackers if not for the confidence the Progent team gave us. That you could get our e-mail and critical servers back into operation quicker than 1 week was amazing. Each staff member I got help from or communicated with at Progent was laser focused on getting us operational and was working 24/7 on our behalf."

Progent worked hand in hand the customer to rapidly understand and prioritize the most important elements that needed to be addressed in order to restart company operations:

  • Windows Active Directory
  • Email
  • Accounting/MRP
To begin, Progent adhered to ransomware event mitigation best practices by stopping the spread and clearing infected systems. Progent then started the work of recovering Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Exchange email will not operate without Windows AD, and the customer's accounting and MRP applications leveraged Microsoft SQL, which needs Active Directory services for access to the database.

In less than 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then completed reinstallations and storage recovery of critical systems. All Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Data Files) on team PCs and laptops to recover mail data. A not too old off-line backup of the client's financials/MRP systems made it possible to recover these essential programs back on-line. Although significant work remained to recover fully from the Ryuk virus, the most important systems were restored quickly:


"For the most part, the assembly line operation was never shut down and we did not miss any customer deliverables."

Over the next few weeks key milestones in the recovery process were accomplished in tight collaboration between Progent team members and the client:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Exchange Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100% restored.
  • A new Palo Alto 850 firewall was brought online.
  • 90% of the desktop computers were functioning as before the incident.

"Much of what went on in the early hours is mostly a fog for me, but I will not soon forget the dedication each of your team put in to help get our business back. I've utilized Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A potential business-ending catastrophe was evaded due to top-tier experts, a wide range of knowledge, and tight teamwork. Although in retrospect the ransomware virus attack described here could have been blocked with up-to-date cyber security technology solutions and security best practices, user and IT administrator training, and properly executed incident response procedures for data protection and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), I'm grateful for letting me get rested after we made it through the most critical parts. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Skokie a variety of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern machine learning technology to detect new variants of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to manage the complete threat lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent's consultants can also help your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup operations and enable non-disruptive backup and fast restoration of vital files, applications, images, and VMs. ProSight DPS lets you avoid data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software glitches. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to deliver web-based control and comprehensive protection for your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter acts as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, track, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating tedious management processes, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating appliances that require critical updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT staff and your assigned Progent consultant so that all potential problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate as much as 50% of time spent looking for vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to defend endpoint devices as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching AV tools. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to automate the entire threat progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Help Center services permit your information technology group to offload Support Desk services to Progent or split activity for Service Desk support transparently between your in-house network support group and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your core IT support staff. End user access to the Service Desk, delivery of support services, escalation, ticket creation and updates, performance measurement, and management of the service database are consistent whether incidents are taken care of by your corporate network support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Service Center services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a flexible and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. In addition to optimizing the security and functionality of your computer environment, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on line-of-business initiatives and activities that derive maximum business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. With 2FA, when you log into a secured online account and enter your password you are asked to verify your identity on a device that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this second form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. For details about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time and in-depth management reporting plug-ins created to work with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Skokie 24-Hour CryptoLocker Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.