Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyber pandemic that poses an existential threat for businesses vulnerable to an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and still inflict destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus additional unnamed viruses, not only encrypt on-line files but also infiltrate any accessible system backups. Data replicated to cloud environments can also be rendered useless. In a poorly architected system, this can render automated recovery impossible and basically knocks the entire system back to zero.
Recovering services and data after a ransomware outage becomes a race against the clock as the targeted organization struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to spread, attacks are usually launched during weekends and nights, when successful attacks typically take longer to detect. This compounds the difficulty of quickly mobilizing and coordinating a capable response team.
Progent offers an assortment of services for securing organizations from crypto-ransomware penetrations. These include user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with machine learning capabilities from SentinelOne to discover and disable new cyber threats intelligently. Progent in addition can provide the services of veteran ransomware recovery professionals with the track record and perseverance to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Restoration Help
Soon after a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the codes to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the mission-critical elements of your IT environment. Absent access to essential data backups, this calls for a broad complement of IT skills, top notch project management, and the willingness to work continuously until the job is completed.
For decades, Progent has offered certified expert IT services for companies in Adelaide and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of experience gives Progent the ability to knowledgably identify critical systems and consolidate the remaining components of your Information Technology environment after a ransomware penetration and rebuild them into a functioning network.
Progent's ransomware group deploys state-of-the-art project management applications to coordinate the complicated restoration process. Progent knows the urgency of working rapidly and together with a client's management and IT resources to assign priority to tasks and to get key applications back on-line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Virus Recovery
A client engaged Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk goes after specific businesses with limited room for disruption and is one of the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has around 500 staff members. The Ryuk event had shut down all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the start of the intrusion and were destroyed. The client was evaluating paying the ransom (more than $200K) and hoping for the best, but ultimately utilized Progent.
"I cannot thank you enough about the help Progent gave us throughout the most stressful period of (our) businesses life. We may have had to pay the cyber criminals if it wasn't for the confidence the Progent experts provided us. That you could get our e-mail and key applications back faster than 1 week was beyond my wildest dreams. Each person I spoke to or texted at Progent was amazingly focused on getting my company operational and was working non-stop on our behalf."
Progent worked together with the client to rapidly get our arms around and assign priority to the key elements that needed to be recovered to make it possible to resume departmental operations:
To get going, Progent adhered to AV/Malware Processes penetration response industry best practices by halting lateral movement and removing active viruses. Progent then started the work of bringing back online Microsoft AD, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the customer's MRP software leveraged SQL Server, which needs Active Directory services for authentication to the information.
- Active Directory (AD)
- MRP System
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery on critical servers. All Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Offline Folder Files) on various desktop computers and laptops to recover mail data. A not too old off-line backup of the client's accounting/ERP systems made it possible to recover these essential programs back servicing users. Although significant work needed to be completed to recover completely from the Ryuk event, core services were returned to operations quickly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer deliverables."
During the next few weeks key milestones in the restoration process were achieved in tight cooperation between Progent consultants and the customer:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto 850 security appliance was installed and configured.
- Ninety percent of the user desktops were back into operation.
"Much of what went on those first few days is nearly entirely a blur for me, but my team will not forget the countless hours all of your team accomplished to help get our business back. I've been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This event was a stunning achievement."
A likely company-ending catastrophe was dodged by hard-working experts, a wide range of IT skills, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration described here could have been prevented with current cyber security systems and best practices, user and IT administrator training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for letting me get some sleep after we made it over the first week. Everyone did an incredible job, and if anyone that helped is in the Chicago area, dinner is on me!"
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Adelaide a portfolio of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to detect new strains of crypto-ransomware that can evade traditional signature-based security solutions.
For Adelaide 24-7 Crypto Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools packaged within one agent managed from a single console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also assist your company to set up and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and enable non-disruptive backup and fast recovery of critical files, apps, system images, and VMs. ProSight DPS helps you recover from data loss resulting from equipment failures, natural disasters, fire, malware like ransomware, human error, malicious insiders, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide centralized control and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, track, reconfigure and debug their connectivity hardware like switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating complex management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so all looming problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can save as much as half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to defend endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based AV tools. Progent ASM services protect on-premises and cloud resources and offers a unified platform to manage the complete threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Center: Call Center Managed Services
Progent's Help Center services allow your IT staff to offload Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your in-house support team and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless supplement to your in-house support group. User interaction with the Service Desk, provision of support services, problem escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the service database are cohesive regardless of whether incidents are taken care of by your core network support resources, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. In addition to maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services free up time for your in-house IT team to focus on line-of-business projects and activities that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against password theft by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on iOS, Google Android, and other personal devices. With 2FA, whenever you log into a protected online account and enter your password you are asked to verify who you are on a device that only you possess and that is accessed using a different network channel. A wide selection of devices can be utilized for this added form of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You can designate multiple validation devices. To learn more about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time reporting tools created to work with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.