Ransomware : Your Worst IT Disaster
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level threat for organizations poorly prepared for an attack. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as additional unnamed newcomers, not only encrypt on-line information but also infiltrate all configured system restores and backups. Files synched to the cloud can also be corrupted. In a poorly architected system, this can make any restoration impossible and basically sets the network back to zero.
Recovering programs and information following a ransomware attack becomes a sprint against time as the targeted organization tries its best to contain and eradicate the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware takes time to replicate, assaults are usually sprung during weekends and nights, when successful attacks tend to take longer to identify. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable response team.
Progent has a variety of support services for protecting businesses from ransomware attacks. These include staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security appliances with machine learning capabilities from SentinelOne to detect and disable zero-day cyber attacks automatically. Progent in addition can provide the assistance of experienced ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as rapidly as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the keys to unencrypt all your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the critical parts of your IT environment. Without the availability of complete system backups, this calls for a broad complement of IT skills, well-coordinated team management, and the capability to work continuously until the recovery project is completed.
For two decades, Progent has made available professional Information Technology services for companies in Adelaide and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise affords Progent the ability to rapidly identify critical systems and consolidate the remaining components of your IT system following a ransomware penetration and rebuild them into an operational network.
Progent's security team uses top notch project management systems to orchestrate the complex restoration process. Progent understands the importance of acting swiftly and in unison with a customer's management and Information Technology staff to prioritize tasks and to put critical applications back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Virus Restoration
A client escalated to Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored hackers, suspected of using techniques exposed from the U.S. NSA organization. Ryuk seeks specific organizations with limited room for operational disruption and is one of the most lucrative examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with around 500 workers. The Ryuk penetration had brought down all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end called Progent.
"I cannot say enough in regards to the support Progent gave us during the most fearful time of (our) company's survival. We would have paid the criminal gangs if it wasn't for the confidence the Progent team provided us. That you could get our messaging and key servers back into operation sooner than a week was amazing. Every single staff member I interacted with or e-mailed at Progent was laser focused on getting us back online and was working breakneck pace to bail us out."
Progent worked hand in hand the customer to quickly identify and assign priority to the key systems that had to be restored in order to resume business functions:
To get going, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then began the steps of bringing back online Microsoft AD, the foundation of enterprise networks built on Microsoft Windows technology. Exchange email will not operate without Windows AD, and the customer's accounting and MRP software leveraged Microsoft SQL, which depends on Active Directory services for access to the information.
- Windows Active Directory
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then assisted with setup and hard drive recovery of the most important applications. All Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on various workstations and laptops to recover mail information. A not too old offline backup of the customer's accounting systems made them able to return these vital services back available to users. Although major work still had to be done to recover fully from the Ryuk event, critical services were recovered quickly:
"For the most part, the production manufacturing operation survived unscathed and we made all customer orders."
During the following couple of weeks important milestones in the restoration process were accomplished in tight cooperation between Progent consultants and the client:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were completely restored.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the desktops and laptops were functioning as before the incident.
"So much of what went on those first few days is nearly entirely a haze for me, but my management will not soon forget the dedication all of you put in to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was a Herculean accomplishment."
A possible enterprise-killing disaster was evaded by dedicated professionals, a broad array of technical expertise, and tight collaboration. Although in post mortem the crypto-ransomware penetration detailed here would have been identified and blocked with current security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we got past the initial fire. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Adelaide a portfolio of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of crypto-ransomware that can evade traditional signature-based anti-virus solutions.
For 24x7x365 Adelaide Crypto Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to address the complete threat progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within one agent accessible from a unified control. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you demonstrate compliance with government and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services, a selection of offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your backup processes and allow transparent backup and fast recovery of vital files/folders, applications, system images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, human error, malicious insiders, or software glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to deliver centralized control and world-class security for your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, reconfigure and debug their networking appliances like switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and sends alerts when problems are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding appliances that require critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management technology to keep your IT system running at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT staff and your assigned Progent engineering consultant so that any potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to defend endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to address the entire malware attack progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against new threats. Read more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Help Center: Support Desk Managed Services
Progent's Call Desk services allow your information technology group to offload Support Desk services to Progent or split activity for support services transparently between your in-house network support staff and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth extension of your core support group. End user access to the Service Desk, provision of technical assistance, issue escalation, trouble ticket generation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether issues are resolved by your in-house IT support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Help Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on more strategic initiatives and tasks that deliver maximum business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you sign into a secured online account and enter your password you are requested to verify who you are on a device that only you have and that uses a separate network channel. A broad selection of out-of-band devices can be utilized as this added means of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate several validation devices. To find out more about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time and in-depth reporting utilities created to integrate with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.