Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyber pandemic that represents an enterprise-level danger for businesses vulnerable to an assault. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with more unnamed newcomers, not only do encryption of online data but also infiltrate all accessible system backup. Data synchronized to the cloud can also be ransomed. In a poorly architected environment, this can make any recovery impossible and basically knocks the entire system back to zero.
Getting back services and data following a ransomware outage becomes a sprint against time as the victim struggles to contain, clear the crypto-ransomware, and restore business-critical activity. Due to the fact that ransomware takes time to spread, assaults are usually launched during weekends and nights, when attacks typically take more time to discover. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced mitigation team.
Progent makes available a variety of services for protecting businesses from ransomware events. These include staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security appliances with AI capabilities from SentinelOne to discover and quarantine day-zero cyber threats rapidly. Progent in addition provides the services of seasoned crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a compromised system as soon as possible.
Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the keys to decipher any of your information. Kaspersky estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to re-install the vital components of your Information Technology environment. Without access to essential system backups, this requires a wide range of skills, professional project management, and the willingness to work non-stop until the job is over.
For decades, Progent has offered expert Information Technology services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of experience gives Progent the ability to rapidly determine important systems and integrate the surviving parts of your Information Technology system following a crypto-ransomware attack and configure them into a functioning network.
Progent's ransomware team deploys top notch project management systems to orchestrate the sophisticated recovery process. Progent understands the importance of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get the most important applications back on-line as fast as possible.
Client Case Study: A Successful Ransomware Attack Response
A business sought out Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting strategies exposed from America's NSA organization. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most profitable versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200K) and praying for the best, but in the end made the decision to use Progent.
"I cannot speak enough about the care Progent provided us during the most fearful period of (our) businesses life. We may have had to pay the Hackers if it wasn't for the confidence the Progent group gave us. That you were able to get our e-mail and key applications back on-line quicker than five days was something I thought impossible. Each consultant I interacted with or e-mailed at Progent was hell bent on getting us back online and was working day and night to bail us out."
Progent worked together with the customer to quickly identify and prioritize the mission critical applications that needed to be restored in order to restart company functions:
- Active Directory (AD)
- E-Mail
- Accounting/MRP
To get going, Progent adhered to ransomware penetration response best practices by stopping lateral movement and clearing infected systems. Progent then started the work of recovering Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the client's accounting and MRP software used Microsoft SQL Server, which depends on Active Directory services for access to the information.
In less than two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then charged ahead with setup and hard drive recovery on key systems. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to find intact OST files (Outlook Off-Line Data Files) on team PCs and laptops in order to recover mail information. A recent offline backup of the businesses accounting/MRP systems made them able to recover these essential programs back available to users. Although a lot of work was left to recover fully from the Ryuk virus, critical services were recovered quickly:
"For the most part, the assembly line operation showed little impact and we produced all customer deliverables."
Over the next month key milestones in the restoration process were made in close cooperation between Progent engineers and the client:
- In-house web sites were brought back up without losing any data.
- The MailStore Server containing more than four million historical messages was brought online and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were fully functional.
- A new Palo Alto 850 security appliance was brought on-line.
- Most of the user desktops and notebooks were operational.
"Much of what went on during the initial response is nearly entirely a blur for me, but my management will not soon forget the commitment each and every one of you put in to give us our business back. I have entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was a stunning achievement."
Conclusion
A potential business-killing disaster was dodged by hard-working experts, a broad range of knowledge, and tight teamwork. Although upon completion of forensics the ransomware incident detailed here could have been identified and stopped with advanced cyber security technology solutions and recognized best practices, team training, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has substantial experience in ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we made it past the initial push. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, dinner is my treat!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Addison a variety of remote monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern artificial intelligence technology to uncover zero-day variants of ransomware that can evade legacy signature-based security solutions.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by tracking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your assigned Progent engineering consultant so that all looming problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map, track, enhance and debug their connectivity hardware like routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating tedious network management processes, WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that require important updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth reporting plug-ins designed to work with the leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow non-disruptive backup and fast restoration of vital files/folders, applications, system images, plus virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security companies to provide web-based management and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a protected application and give your password you are asked to confirm your identity on a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of devices can be used as this second form of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. For more information about Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Support Center services allow your IT team to offload Support Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house network support resources and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a transparent supplement to your in-house support organization. User interaction with the Service Desk, provision of technical assistance, problem escalation, ticket generation and tracking, efficiency metrics, and maintenance of the service database are cohesive regardless of whether issues are taken care of by your in-house IT support group, by Progent, or both. Read more about Progent's outsourced/co-managed Help Desk services.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to defend endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to manage the complete threat progression including blocking, detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Learn more about ProSight IT Asset Management service.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. Besides maximizing the protection and reliability of your computer network, Progent's patch management services permit your IT staff to concentrate on more strategic projects and activities that derive the highest business value from your information network. Read more about Progent's patch management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to address the entire threat progression including blocking, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you prove compliance with legal and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.
For 24x7 Addison Ransomware Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.