Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyber pandemic that presents an existential threat for organizations vulnerable to an attack. Multiple generations of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as frequent unnamed newcomers, not only do encryption of on-line data but also infiltrate many available system protection mechanisms. Data synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, this can make automatic restoration useless and basically sets the network back to square one.
Getting back programs and information after a ransomware outage becomes a race against time as the victim fights to stop lateral movement and cleanup the ransomware and to restore enterprise-critical operations. Since ransomware requires time to replicate, penetrations are often launched during nights and weekends, when successful attacks are likely to take longer to discover. This compounds the difficulty of promptly assembling and coordinating a qualified response team.
Progent has an assortment of services for protecting businesses from crypto-ransomware penetrations. Among these are team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with artificial intelligence technology from SentinelOne to detect and disable day-zero cyber threats rapidly. Progent in addition offers the assistance of seasoned ransomware recovery consultants with the talent and commitment to reconstruct a compromised network as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed codes to decrypt all your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the mission-critical parts of your IT environment. Without access to complete system backups, this calls for a wide range of skill sets, professional team management, and the willingness to work 24x7 until the recovery project is over.
For decades, Progent has made available expert Information Technology services for businesses in Addison and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise affords Progent the capability to knowledgably understand necessary systems and organize the surviving pieces of your IT environment following a ransomware penetration and rebuild them into a functioning system.
Progent's ransomware team uses top notch project management applications to coordinate the complicated recovery process. Progent appreciates the importance of working quickly and together with a customer's management and IT staff to prioritize tasks and to get key systems back on-line as fast as possible.
Customer Story: A Successful Ransomware Virus Response
A client contacted Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored cybercriminals, suspected of adopting technology leaked from the U.S. National Security Agency. Ryuk targets specific companies with limited ability to sustain disruption and is among the most profitable versions of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area and has around 500 workers. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and hoping for the best, but ultimately called Progent.
"I can't speak enough about the care Progent provided us throughout the most stressful period of (our) businesses life. We may have had to pay the Hackers if not for the confidence the Progent experts afforded us. That you could get our e-mail and key servers back sooner than 1 week was earth shattering. Every single staff member I got help from or messaged at Progent was totally committed on getting us restored and was working all day and night to bail us out."
Progent worked with the client to rapidly assess and prioritize the most important applications that had to be addressed in order to continue departmental operations:
To begin, Progent adhered to Anti-virus incident response industry best practices by isolating and cleaning systems of viruses. Progent then started the steps of rebuilding Microsoft AD, the core of enterprise systems built on Microsoft Windows technology. Exchange email will not work without Windows AD, and the client's accounting and MRP software utilized Microsoft SQL, which needs Windows AD for security authorization to the databases.
- Windows Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then performed rebuilding and storage recovery on essential systems. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble local OST files (Outlook Off-Line Folder Files) on staff desktop computers and laptops to recover email messages. A not too old off-line backup of the client's financials/ERP systems made them able to recover these required applications back on-line. Although a large amount of work remained to recover totally from the Ryuk attack, critical systems were recovered rapidly:
"For the most part, the assembly line operation never missed a beat and we did not miss any customer deliverables."
During the following few weeks critical milestones in the restoration project were achieved in close collaboration between Progent team members and the client:
- Internal web applications were brought back up with no loss of information.
- The MailStore Server with over four million archived messages was spun up and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- Most of the user PCs were operational.
"Much of what went on those first few days is nearly entirely a blur for me, but we will not soon forget the care all of the team accomplished to help get our business back. I've utilized Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was the most impressive ever."
A possible enterprise-killing disaster was averted due to dedicated professionals, a broad array of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here would have been shut down with advanced cyber security systems and ISO/IEC 27001 best practices, user training, and well thought out incident response procedures for backup and proper patching controls, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has substantial experience in ransomware virus defense, mitigation, and information systems restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get some sleep after we got past the initial push. Everyone did an incredible effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Addison a range of online monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of ransomware that are able to get past legacy signature-based anti-virus solutions.
For Addison 24x7 Ransomware Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate action. Progent's consultants can also help your company to install and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with leading backup technology companies to produce ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and enable transparent backup and rapid recovery of important files, apps, system images, and VMs. ProSight DPS helps you protect against data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, user error, malicious employees, or software bugs. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver centralized control and world-class protection for your email traffic. The powerful architecture of Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, reconfigure and debug their connectivity appliances like routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that network maps are always current, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that require critical updates, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so any potential issues can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can eliminate as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based analysis tools to guard endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-based AV tools. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Call Desk: Support Desk Managed Services
Progent's Help Desk services enable your IT staff to outsource Call Center services to Progent or split activity for support services transparently between your internal network support team and Progent's nationwide roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth supplement to your corporate support team. User interaction with the Service Desk, provision of technical assistance, issue escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent whether issues are resolved by your corporate IT support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and documenting updates to your dynamic IT network. Besides optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your IT staff to concentrate on line-of-business initiatives and tasks that derive the highest business value from your information network. Read more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using 2FA, when you log into a protected application and enter your password you are asked to confirm your identity on a unit that only you possess and that is accessed using a separate network channel. A broad range of out-of-band devices can be used for this second form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. For details about ProSight Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth reporting utilities created to integrate with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.