Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that presents an existential threat for organizations poorly prepared for an attack. Versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with more unnamed newcomers, not only do encryption of on-line data but also infiltrate any configured system backup. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can make automated restoration impossible and effectively knocks the network back to zero.
Recovering programs and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted organization fights to stop lateral movement and cleanup the ransomware and to resume mission-critical operations. Because crypto-ransomware requires time to move laterally, assaults are usually launched on weekends, when successful penetrations are likely to take more time to identify. This compounds the difficulty of promptly marshalling and orchestrating an experienced response team.
Progent offers a variety of support services for protecting enterprises from crypto-ransomware penetrations. Among these are team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to discover and extinguish zero-day threats rapidly. Progent in addition offers the assistance of seasoned ransomware recovery professionals with the skills and perseverance to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed codes to unencrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to setup from scratch the essential elements of your Information Technology environment. Absent the availability of essential system backups, this requires a wide range of skills, well-coordinated project management, and the willingness to work continuously until the job is finished.
For twenty years, Progent has provided certified expert IT services for companies in Addison and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience affords Progent the capability to rapidly determine important systems and re-organize the surviving pieces of your network system following a crypto-ransomware attack and configure them into an operational system.
Progent's recovery group utilizes state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the urgency of acting swiftly and in unison with a client's management and IT team members to prioritize tasks and to get the most important applications back on-line as fast as possible.
Client Story: A Successful Ransomware Incident Restoration
A business escalated to Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, possibly using techniques exposed from the United States National Security Agency. Ryuk targets specific businesses with little room for disruption and is among the most profitable versions of ransomware malware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the time of the intrusion and were encrypted. The client considered paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot speak enough in regards to the help Progent gave us throughout the most fearful period of (our) company's existence. We had little choice but to pay the cyber criminals if it wasn't for the confidence the Progent experts gave us. That you were able to get our messaging and key servers back on-line faster than one week was earth shattering. Every single consultant I worked with or texted at Progent was absolutely committed on getting us working again and was working 24/7 to bail us out."
Progent worked together with the client to quickly get our arms around and assign priority to the essential elements that needed to be restored in order to restart company functions:
- Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the task of bringing back online Microsoft Active Directory, the foundation of enterprise networks built on Microsoft technology. Exchange email will not function without Windows AD, and the client's MRP software leveraged Microsoft SQL Server, which requires Active Directory services for security authorization to the database.
In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of the most important servers. All Microsoft Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to find intact OST files (Outlook Off-Line Folder Files) on staff desktop computers in order to recover email messages. A recent offline backup of the client's financials/MRP software made them able to restore these essential programs back on-line. Although significant work was left to recover fully from the Ryuk damage, critical services were returned to operations rapidly:
"For the most part, the assembly line operation did not miss a beat and we did not miss any customer orders."
Throughout the next month critical milestones in the recovery process were made through close cooperation between Progent consultants and the client:
- Self-hosted web applications were brought back up without losing any data.
- The MailStore Server containing more than four million archived emails was brought online and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were completely recovered.
- A new Palo Alto 850 security appliance was installed and configured.
- Nearly all of the desktop computers were fully operational.
"A lot of what transpired in the early hours is mostly a blur for me, but my team will not forget the countless hours each and every one of the team accomplished to help get our business back. I've utilized Progent for the past ten years, possibly more, and every time Progent has shined and delivered as promised. This event was a Herculean accomplishment."
Conclusion
A potential business catastrophe was dodged by top-tier professionals, a wide range of subject matter expertise, and close teamwork. Although upon completion of forensics the crypto-ransomware incident described here would have been identified and blocked with advanced cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for data protection and applying software patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get some sleep after we got past the initial push. All of you did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Addison a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence technology to detect new variants of ransomware that can get past legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to manage the entire malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services offer economical multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also assist your company to set up and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with leading backup/restore software companies to produce ProSight Data Protection Services, a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and enable non-disruptive backup and fast recovery of critical files/folders, apps, images, and VMs. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or application glitches. Managed backup services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to provide centralized control and world-class security for all your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their networking appliances like switches, firewalls, and access points as well as servers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating time-consuming management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that need critical software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to help keep your network running at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so all looming issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior analysis technology to guard endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Help Center managed services enable your information technology team to offload Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your in-house support group and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your in-house network support team. User interaction with the Service Desk, delivery of support services, problem escalation, ticket generation and updates, efficiency measurement, and management of the support database are cohesive whether issues are taken care of by your core IT support staff, by Progent's team, or both. Read more about Progent's outsourced/shared Service Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide businesses of all sizes a flexible and affordable solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the protection and reliability of your IT environment, Progent's patch management services free up time for your in-house IT staff to focus on more strategic initiatives and tasks that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification with iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and give your password you are asked to confirm your identity on a device that only you have and that uses a separate network channel. A wide selection of devices can be used as this added means of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several validation devices. To find out more about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth management reporting tools created to integrate with the leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Addison 24-7 Ransomware Cleanup Support Services, contact Progent at 800-462-8800 or go to Contact Progent.