Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations unprepared for an attack. Different iterations of crypto-ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause harm. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent as yet unnamed viruses, not only do encryption of online files but also infect most accessible system restores and backups. Data synchronized to cloud environments can also be ransomed. In a poorly designed environment, it can render automatic recovery impossible and effectively sets the entire system back to square one.
Getting back services and information after a ransomware outage becomes a race against the clock as the targeted organization struggles to contain, eradicate the crypto-ransomware, and resume business-critical operations. Because ransomware requires time to replicate, attacks are often sprung during nights and weekends, when penetrations are likely to take longer to identify. This multiplies the difficulty of quickly marshalling and orchestrating a knowledgeable response team.
Progent offers an assortment of help services for protecting enterprises from crypto-ransomware events. These include team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with artificial intelligence technology from SentinelOne to discover and disable zero-day cyber threats intelligently. Progent also provides the assistance of experienced ransomware recovery professionals with the track record and perseverance to reconstruct a breached environment as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that distant criminals will provide the codes to decipher any of your files. Kaspersky ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The other path is to re-install the essential parts of your Information Technology environment. Without access to essential data backups, this requires a broad complement of IT skills, well-coordinated project management, and the ability to work continuously until the recovery project is complete.
For two decades, Progent has made available certified expert Information Technology services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise provides Progent the ability to rapidly understand critical systems and integrate the surviving pieces of your Information Technology system after a ransomware attack and assemble them into an operational network.
Progent's security group deploys powerful project management tools to orchestrate the sophisticated restoration process. Progent appreciates the urgency of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to get critical services back online as fast as humanly possible.
Case Study: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean government sponsored hackers, possibly using strategies leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with little tolerance for operational disruption and is one of the most lucrative instances of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with about 500 workers. The Ryuk attack had frozen all business operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but ultimately engaged Progent.
"I can't tell you enough about the help Progent gave us during the most fearful time of (our) businesses existence. We would have paid the cyber criminals if not for the confidence the Progent experts afforded us. That you were able to get our e-mail system and important servers back online sooner than seven days was something I thought impossible. Every single expert I got help from or communicated with at Progent was laser focused on getting our company operational and was working at all hours to bail us out."
Progent worked with the client to quickly get our arms around and assign priority to the most important applications that had to be restored to make it possible to continue business functions:
- Microsoft Active Directory
- Email
- Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus event mitigation best practices by isolating and clearing up compromised systems. Progent then initiated the steps of bringing back online Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' financials and MRP software utilized Microsoft SQL Server, which depends on Windows AD for access to the database.
Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery of critical systems. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Offline Data Files) on staff PCs and laptops in order to recover mail messages. A not too old offline backup of the client's accounting/ERP software made it possible to recover these required services back available to users. Although significant work remained to recover completely from the Ryuk virus, the most important services were recovered rapidly:
"For the most part, the production line operation did not miss a beat and we produced all customer deliverables."
Throughout the following month important milestones in the recovery process were achieved in tight cooperation between Progent engineers and the client:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Ninety percent of the user PCs were operational.
"Much of what was accomplished in the initial days is nearly entirely a haze for me, but my team will not forget the dedication each and every one of you accomplished to give us our business back. I've trusted Progent for the past ten years, possibly more, and each time Progent has shined and delivered as promised. This time was a stunning achievement."
Conclusion
A possible business extinction disaster was avoided through the efforts of top-tier professionals, a broad range of technical expertise, and close collaboration. Although upon completion of forensics the ransomware virus incident described here could have been prevented with current security solutions and security best practices, staff training, and properly executed security procedures for information backup and proper patching controls, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for letting me get rested after we made it over the initial push. Everyone did an impressive job, and if any of your guys is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Addison a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation AI technology to uncover zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT staff and your assigned Progent consultant so that all potential problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-driven platform for monitoring and managing your network, server, and desktop devices by providing an environment for performing common time-consuming tasks. These include health checking, patch management, automated repairs, endpoint setup, backup and restore, A/V protection, secure remote access, built-in and custom scripts, asset inventory, endpoint status reporting, and debugging support. If ProSight LAN Watch with NinjaOne RMM identifies a serious incident, it sends an alert to your specified IT personnel and your Progent technical consultant so that potential problems can be taken care of before they interfere with your network. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, track, optimize and troubleshoot their connectivity appliances like routers, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating complex network management processes, WAN Watch can knock hours off common chores like network mapping, expanding your network, finding devices that require critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time and in-depth reporting utilities designed to integrate with the industry's top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and allow transparent backup and rapid recovery of important files/folders, apps, system images, plus VMs. ProSight DPS helps your business protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of analysis for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a secured application and enter your password you are requested to verify who you are via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized for this added form of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You can designate multiple verification devices. To find out more about Duo identity validation services, visit Duo MFA two-factor authentication services.
- Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
Progent's Call Desk services permit your IT team to offload Call Center services to Progent or divide activity for Help Desk services seamlessly between your in-house network support team and Progent's nationwide roster of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth supplement to your corporate IT support group. End user access to the Help Desk, provision of support services, issue escalation, ticket creation and tracking, efficiency measurement, and management of the support database are consistent whether incidents are resolved by your in-house network support group, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Desk services.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based analysis technology to defend endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to manage the complete malware attack progression including protection, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. In addition to optimizing the security and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT team to focus on line-of-business projects and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a single platform to address the entire malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you prove compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
For Addison 24x7x365 Crypto Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.