Ransomware Filtering and Remediation Consulting Chicago

Crypto-Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses of all sizes unprepared for an assault. Versions of ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and still cause damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as more unnamed newcomers, not only perform encryption of on-line information but also infiltrate most available system protection. Files synchronized to off-premises disaster recovery sites can also be ransomed. In a vulnerable system, this can make any restore operations hopeless and effectively sets the network back to square one.

Getting back on-line services and data following a ransomware event becomes a sprint against the clock as the targeted business struggles to contain the damage, remove the crypto-ransomware, and resume mission-critical operations. Because ransomware takes time to move laterally across a network, attacks are usually sprung on weekends and holidays, when attacks are likely to take longer to identify. This multiplies the difficulty of quickly marshalling and coordinating a capable response team.

Progent has an assortment of help services for securing Chicago enterprises from ransomware penetrations. These include user education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat protection to identify and disable zero-day malware attacks. Progent in addition can provide the services of veteran crypto-ransomware recovery professionals with the talent and perseverance to restore a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to unencrypt any or all of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The fallback is to piece back together the critical parts of your Information Technology environment. Without the availability of full system backups, this calls for a wide complement of IT skills, well-coordinated project management, and the capability to work 24x7 until the task is finished.

For two decades, Progent has made available expert Information Technology services for companies throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the ability to efficiently ascertain critical systems and integrate the surviving parts of your Information Technology environment following a ransomware event and assemble them into an operational network.

Progent's security group has top notch project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of acting rapidly and in unison with a customer's management and IT team members to assign priority to tasks and to put critical services back on line as fast as possible.

Business Case Study: A Successful Ransomware Penetration Recovery
A business hired Progent after their network system was crashed by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored criminal gangs, suspected of using technology exposed from America's NSA organization. Ryuk seeks specific businesses with limited room for operational disruption and is one of the most profitable iterations of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200K) and wishfully thinking for the best, but ultimately brought in Progent.

Progent worked hand in hand the customer to rapidly understand and assign priority to the critical services that had to be recovered to make it possible to resume company functions:

• Microsoft Active Directory
• Microsoft Exchange
• Accounting and Manufacturing Software

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery of needed applications. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Email Offline Data Files) on various workstations in order to recover email information. A not too old off-line backup of the customer's manufacturing software made it possible to recover these vital applications back servicing users. Although a lot of work needed to be completed to recover totally from the Ryuk event, the most important systems were returned to operations quickly:

During the next month critical milestones in the recovery process were accomplished in close collaboration between Progent engineers and the client:

• Internal web applications were restored with no loss of information.
• The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and available for users.
• CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent functional.
• A new Palo Alto Networks 850 security appliance was deployed.
• Ninety percent of the user workstations were being used by staff.

Conclusion
A probable business-killing disaster was avoided through the efforts of top-tier professionals, a broad range of IT skills, and close teamwork. Although in retrospect the crypto-ransomware attack described here would have been stopped with advanced cyber security systems and recognized best practices, staff training, and well thought out security procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, removal, and data restoration.

Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware Cleanup Services in Chicago
For ransomware system restoration services in the Chicago metro area, call Progent at 800-462-8800 or see Contact Progent.