Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus more as yet unnamed malware, not only encrypt online data files but also infect many configured system backups. Information replicated to cloud environments can also be held hostage. In a poorly architected system, it can make automatic recovery impossible and effectively knocks the datacenter back to square one.
Getting back online services and information after a ransomware event becomes a sprint against time as the targeted business fights to stop the spread, cleanup the ransomware, and restore business-critical activity. Due to the fact that crypto-ransomware takes time to spread, attacks are often sprung during nights and weekends, when successful penetrations typically take more time to notice. This compounds the difficulty of quickly mobilizing and orchestrating a knowledgeable response team.
Progent offers a range of services for protecting businesses from ransomware penetrations. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with AI capabilities from SentinelOne to detect and quarantine new cyber threats automatically. Progent also can provide the services of veteran ransomware recovery professionals with the skills and perseverance to restore a compromised system as soon as possible.
Progent's Ransomware Recovery Support Services
After a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to unencrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to setup from scratch the essential components of your Information Technology environment. Without access to essential information backups, this calls for a wide complement of IT skills, top notch project management, and the capability to work non-stop until the job is completed.
For decades, Progent has offered professional IT services for businesses throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the skills to efficiently ascertain important systems and re-organize the surviving parts of your IT environment following a ransomware penetration and configure them into a functioning system.
Progent's recovery team of experts has top notch project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in unison with a client's management and IT resources to prioritize tasks and to put essential applications back on-line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business escalated to Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly using approaches leaked from America's National Security Agency. Ryuk seeks specific organizations with limited tolerance for disruption and is one of the most lucrative instances of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area with around 500 employees. The Ryuk attack had brought down all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately utilized Progent.
"I cannot speak enough about the support Progent provided us throughout the most fearful time of (our) businesses life. We may have had to pay the hackers behind this attack if it wasn't for the confidence the Progent experts provided us. The fact that you could get our e-mail system and important servers back in less than one week was incredible. Each consultant I worked with or communicated with at Progent was absolutely committed on getting us working again and was working at all hours on our behalf."
Progent worked with the client to rapidly assess and assign priority to the mission critical applications that had to be recovered to make it possible to resume business operations:
- Active Directory
- Email
- Accounting and Manufacturing Software
To start, Progent adhered to ransomware event mitigation best practices by stopping the spread and disinfecting systems. Progent then began the process of rebuilding Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's financials and MRP software used Microsoft SQL, which requires Active Directory services for authentication to the databases.
Within 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated reinstallations and storage recovery of critical systems. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user workstations and laptops in order to recover mail messages. A recent offline backup of the customer's accounting/MRP software made them able to recover these essential services back servicing users. Although a lot of work needed to be completed to recover totally from the Ryuk event, essential systems were returned to operations rapidly:
"For the most part, the production operation never missed a beat and we made all customer sales."
During the next month key milestones in the recovery process were completed through close cooperation between Progent team members and the customer:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Server with over four million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Nearly all of the user workstations were functioning as before the incident.
"A huge amount of what transpired that first week is nearly entirely a fog for me, but my team will not soon forget the commitment all of the team accomplished to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."
Conclusion
A potential business-ending disaster was evaded due to top-tier professionals, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware virus penetration described here should have been blocked with modern cyber security technology and recognized best practices, user training, and well designed security procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for making it so I could get rested after we made it through the first week. All of you did an impressive job, and if anyone is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Adelaide a variety of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the complete malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP environment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup technology companies to produce ProSight Data Protection Services, a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and track your backup operations and allow transparent backup and fast restoration of important files, apps, system images, and VMs. ProSight DPS helps your business avoid data loss caused by hardware failures, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security vendors to deliver centralized control and comprehensive protection for your email traffic. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a deeper level of analysis for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity hardware like switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management activities, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating devices that need important updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT staff and your Progent engineering consultant so all looming problems can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can save as much as 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to defend endpoints and servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a single platform to manage the complete threat lifecycle including blocking, identification, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Call Center: Help Desk Managed Services
Progent's Support Center services permit your information technology team to outsource Call Center services to Progent or divide responsibilities for Service Desk support seamlessly between your internal support staff and Progent's nationwide pool of IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a transparent extension of your core network support organization. User access to the Service Desk, delivery of support, issue escalation, trouble ticket generation and updates, performance metrics, and maintenance of the service database are cohesive whether issues are resolved by your core support organization, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. Besides maximizing the security and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to focus on more strategic projects and tasks that derive maximum business value from your information network. Read more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. With 2FA, when you sign into a secured online account and give your password you are asked to confirm who you are on a device that only you possess and that uses a different network channel. A broad selection of devices can be utilized as this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. For details about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth management reporting tools created to integrate with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like inconsistent support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Adelaide 24/7 Ransomware Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.