Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyber pandemic that presents an existential threat for businesses vulnerable to an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus frequent unnamed viruses, not only encrypt online data but also infect any available system backups. Information synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable environment, it can render any restoration useless and basically knocks the datacenter back to square one.
Getting back on-line programs and data following a crypto-ransomware attack becomes a race against time as the victim tries its best to contain and clear the ransomware and to restore enterprise-critical activity. Because ransomware takes time to move laterally, penetrations are often sprung during nights and weekends, when successful attacks in many cases take longer to identify. This compounds the difficulty of promptly assembling and organizing a knowledgeable response team.
Progent has an assortment of services for protecting enterprises from ransomware attacks. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with artificial intelligence technology from SentinelOne to detect and quarantine day-zero cyber attacks automatically. Progent also can provide the services of veteran ransomware recovery engineers with the track record and perseverance to restore a compromised network as quickly as possible.
Progent's Ransomware Restoration Help
Following a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the codes to decipher any or all of your files. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the key elements of your Information Technology environment. Absent access to essential system backups, this calls for a wide range of IT skills, professional team management, and the ability to work continuously until the task is finished.
For decades, Progent has provided certified expert Information Technology services for businesses in Akron and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience gives Progent the capability to knowledgably understand important systems and consolidate the surviving components of your IT environment following a ransomware penetration and configure them into a functioning system.
Progent's recovery team of experts uses best of breed project management systems to orchestrate the complex recovery process. Progent understands the importance of working swiftly and in concert with a client's management and IT team members to prioritize tasks and to put critical applications back online as fast as humanly possible.
Business Case Study: A Successful Ransomware Virus Recovery
A business escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored cybercriminals, possibly adopting algorithms leaked from America's National Security Agency. Ryuk seeks specific organizations with little tolerance for disruption and is among the most profitable iterations of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has about 500 employees. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of $200,000) and hoping for the best, but in the end engaged Progent.
"I cannot tell you enough about the care Progent provided us throughout the most critical time of (our) businesses life. We most likely would have paid the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and essential servers back on-line sooner than 1 week was beyond my wildest dreams. Every single expert I worked with or communicated with at Progent was laser focused on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly assess and prioritize the critical systems that had to be addressed in order to continue company operations:
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event response best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the work of restoring Microsoft AD, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the businesses' financials and MRP system utilized Microsoft SQL, which needs Active Directory services for authentication to the database.
In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then helped perform setup and storage recovery of the most important servers. All Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate intact OST data files (Outlook Email Offline Folder Files) on staff desktop computers and laptops in order to recover email data. A not too old off-line backup of the client's financials/ERP systems made it possible to return these essential services back on-line. Although a large amount of work remained to recover completely from the Ryuk damage, core services were recovered rapidly:
"For the most part, the assembly line operation survived unscathed and we delivered all customer deliverables."
During the next month key milestones in the recovery project were accomplished through close collaboration between Progent team members and the client:
- Internal web sites were returned to operation without losing any information.
- The MailStore Server exceeding 4 million historical emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were fully functional.
- A new Palo Alto 850 security appliance was installed.
- 90% of the desktop computers were functioning as before the incident.
"So much of what happened in the initial days is mostly a fog for me, but my team will not soon forget the urgency each and every one of the team put in to help get our business back. I've trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was a Herculean accomplishment."
Conclusion
A likely company-ending disaster was avoided by results-oriented professionals, a wide array of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware incident described here could have been identified and disabled with advanced security systems and ISO/IEC 27001 best practices, staff training, and properly executed security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), I'm grateful for allowing me to get some sleep after we made it over the most critical parts. All of you did an fabulous job, and if any of your team is visiting the Chicago area, a great meal is on me!"
To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Akron a variety of online monitoring and security assessment services to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to evade legacy signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also help your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with leading backup software providers to produce ProSight Data Protection Services (DPS), a portfolio of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and enable non-disruptive backup and rapid restoration of important files, apps, images, and virtual machines. ProSight DPS helps your business recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, malicious insiders, or software glitches. Managed services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to deliver centralized management and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of inspection for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding devices that need critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT personnel and your Progent engineering consultant so any potential problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate up to half of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to defend endpoint devices as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to automate the entire malware attack lifecycle including protection, detection, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
Progent's Help Desk managed services enable your IT group to offload Help Desk services to Progent or split responsibilities for Service Desk support transparently between your internal network support resources and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a seamless supplement to your in-house network support staff. User access to the Service Desk, provision of support, problem escalation, ticket creation and updates, efficiency measurement, and management of the service database are cohesive regardless of whether issues are taken care of by your internal support group, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide businesses of all sizes a versatile and affordable alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your IT network, Progent's patch management services permit your in-house IT staff to concentrate on line-of-business initiatives and activities that derive the highest business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Android, and other personal devices. Using Duo 2FA, when you log into a protected application and give your password you are asked to confirm your identity on a device that only you possess and that uses a separate network channel. A wide selection of out-of-band devices can be utilized as this second means of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate several validation devices. For details about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of in-depth management reporting tools designed to integrate with the industry's leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Akron 24-7 Crypto-Ransomware Removal Consulting, contact Progent at 800-462-8800 or go to Contact Progent.