Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for years and continue to inflict destruction. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus additional as yet unnamed viruses, not only do encryption of on-line information but also infect all accessible system protection mechanisms. Data synchronized to cloud environments can also be ransomed. In a vulnerable system, it can make automatic restoration useless and effectively sets the entire system back to zero.
Recovering programs and data after a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to contain, eradicate the crypto-ransomware, and restore enterprise-critical operations. Due to the fact that ransomware requires time to spread, attacks are often launched on weekends, when successful attacks are likely to take longer to discover. This multiplies the difficulty of quickly mobilizing and orchestrating a capable response team.
Progent makes available a range of help services for securing enterprises from ransomware events. These include staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence technology from SentinelOne to identify and disable new cyber threats rapidly. Progent also can provide the services of expert ransomware recovery professionals with the skills and perseverance to rebuild a compromised environment as quickly as possible.
Progent's Ransomware Restoration Help
After a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the needed codes to decrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The fallback is to piece back together the vital components of your IT environment. Without access to complete system backups, this requires a wide range of IT skills, well-coordinated project management, and the ability to work continuously until the task is complete.
For twenty years, Progent has provided expert IT services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise provides Progent the skills to quickly understand necessary systems and integrate the remaining parts of your Information Technology system after a ransomware attack and rebuild them into a functioning system.
Progent's ransomware group utilizes best of breed project management tools to coordinate the complicated recovery process. Progent understands the importance of acting swiftly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get essential services back on-line as fast as possible.
Case Study: A Successful Ransomware Penetration Restoration
A small business engaged Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state hackers, suspected of using techniques leaked from the United States NSA organization. Ryuk seeks specific businesses with limited tolerance for operational disruption and is one of the most profitable incarnations of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's information backups had been online at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end utilized Progent.
"I cannot thank you enough in regards to the help Progent provided us during the most stressful time of (our) businesses existence. We may have had to pay the cyber criminals if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail and production servers back quicker than 1 week was earth shattering. Every single expert I talked with or communicated with at Progent was absolutely committed on getting us working again and was working 24 by 7 on our behalf."
Progent worked hand in hand the client to quickly identify and assign priority to the critical elements that had to be recovered in order to continue business functions:
- Windows Active Directory
- Email
- Accounting/MRP
To begin, Progent followed AV/Malware Processes event mitigation best practices by halting lateral movement and clearing infected systems. Progent then started the task of bringing back online Microsoft AD, the heart of enterprise networks built on Microsoft technology. Microsoft Exchange messaging will not work without Active Directory, and the businesses' financials and MRP applications leveraged SQL Server, which needs Windows AD for security authorization to the data.
Within two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then helped perform setup and hard drive recovery on needed applications. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Data Files) on various workstations to recover mail data. A not too old offline backup of the client's accounting software made them able to recover these essential services back available to users. Although a lot of work was left to recover completely from the Ryuk event, critical systems were restored rapidly:
"For the most part, the production operation survived unscathed and we delivered all customer shipments."
During the next few weeks key milestones in the restoration process were accomplished in close collaboration between Progent engineers and the customer:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory capabilities were 100% functional.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the user desktops and notebooks were functioning as before the incident.
"Much of what transpired in the early hours is mostly a haze for me, but my management will not soon forget the care each and every one of your team accomplished to help get our company back. I have trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."
Conclusion
A likely business-ending disaster was dodged with hard-working experts, a wide range of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware incident described here would have been identified and blocked with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, staff training, and appropriate security procedures for data backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for allowing me to get rested after we got over the initial push. All of you did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Adelaide a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services include next-generation artificial intelligence technology to uncover new variants of ransomware that can get past traditional signature-based security products.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT personnel and your assigned Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-based platform for monitoring and managing your network, server, and desktop devices by providing tools for performing common time-consuming jobs. These include health monitoring, update management, automated remediation, endpoint setup, backup and restore, anti-virus protection, secure remote access, standard and custom scripts, asset inventory, endpoint status reports, and troubleshooting assistance. If ProSight LAN Watch with NinjaOne RMM uncovers a serious problem, it transmits an alert to your designated IT management personnel and your assigned Progent consultant so that potential problems can be fixed before they interfere with productivity. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, optimize and debug their connectivity hardware such as switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating appliances that require important software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time management reporting utilities designed to work with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup software providers to produce ProSight Data Protection Services, a portfolio of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your backup operations and enable transparent backup and rapid recovery of critical files, apps, system images, plus virtual machines. ProSight DPS lets you avoid data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, malicious employees, or software glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to provide web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of analysis for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you log into a protected application and give your password you are asked to confirm your identity on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be utilized as this added means of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may register multiple verification devices. For more information about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Call Center managed services allow your IT staff to offload Call Center services to Progent or divide activity for support services seamlessly between your in-house support group and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent supplement to your in-house network support team. User access to the Service Desk, provision of technical assistance, problem escalation, trouble ticket generation and tracking, performance metrics, and management of the support database are consistent whether incidents are taken care of by your core IT support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Center services.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior analysis technology to defend endpoints and servers and VMs against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching AV products. Progent ASM services safeguard on-premises and cloud resources and offers a unified platform to address the complete malware attack progression including protection, detection, containment, cleanup, and forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer organizations of any size a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the protection and reliability of your computer environment, Progent's patch management services permit your IT staff to concentrate on more strategic initiatives and tasks that deliver the highest business value from your information network. Find out more about Progent's patch management support services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-based AV tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the entire threat progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools packaged within a single agent managed from a single control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP environment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
For 24-Hour Adelaide Crypto Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.