Crypto-Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for businesses vulnerable to an attack. Versions of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with additional unnamed malware, not only do encryption of online critical data but also infect many configured system backup. Information synchronized to cloud environments can also be ransomed. In a poorly designed environment, it can render automatic restore operations impossible and basically knocks the entire system back to zero.
Getting back online applications and data following a ransomware attack becomes a race against time as the targeted business struggles to contain the damage, remove the virus, and resume mission-critical operations. Due to the fact that ransomware needs time to spread, penetrations are often launched during weekends and nights, when penetrations may take longer to identify. This multiplies the difficulty of rapidly assembling and coordinating an experienced mitigation team.
Progent offers a variety of support services for securing businesses from ransomware penetrations. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security solutions with AI technology from SentinelOne to identify and suppress day-zero cyber threats automatically. Progent in addition provides the assistance of seasoned ransomware recovery professionals with the skills and perseverance to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to decipher any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The other path is to piece back together the vital elements of your IT environment. Absent access to complete system backups, this requires a wide complement of skills, professional project management, and the ability to work 24x7 until the job is finished.
For decades, Progent has offered certified expert IT services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience affords Progent the skills to efficiently identify important systems and organize the remaining pieces of your Information Technology environment after a ransomware attack and configure them into a functioning system.
Progent's security team utilizes powerful project management applications to orchestrate the sophisticated restoration process. Progent understands the importance of working swiftly and in unison with a client's management and Information Technology staff to prioritize tasks and to get the most important services back online as fast as humanly possible.
Client Case Study: A Successful Ransomware Incident Restoration
A business sought out Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state criminal gangs, possibly using algorithms exposed from the U.S. NSA organization. Ryuk seeks specific businesses with little ability to sustain disruption and is one of the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago with around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and praying for the best, but in the end engaged Progent.
"I can't tell you enough about the help Progent provided us throughout the most stressful period of (our) company's survival. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and important applications back on-line faster than five days was incredible. Each consultant I got help from or e-mailed at Progent was amazingly focused on getting our system up and was working all day and night on our behalf."
Progent worked hand in hand the client to rapidly determine and assign priority to the mission critical areas that needed to be recovered in order to resume departmental functions:
- Active Directory (AD)
- Microsoft Exchange Server
- Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event mitigation best practices by isolating and clearing infected systems. Progent then initiated the steps of rebuilding Microsoft AD, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customer's MRP applications utilized SQL Server, which depends on Active Directory for authentication to the database.
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then charged ahead with reinstallations and hard drive recovery of key servers. All Microsoft Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Email Offline Data Files) on various workstations and laptops in order to recover mail messages. A recent off-line backup of the businesses manufacturing systems made them able to return these vital applications back on-line. Although major work still had to be done to recover totally from the Ryuk attack, the most important services were restored rapidly:
"For the most part, the production manufacturing operation showed little impact and we made all customer sales."
Throughout the next couple of weeks important milestones in the restoration process were accomplished through tight collaboration between Progent consultants and the client:
- In-house web applications were restored with no loss of information.
- The MailStore Exchange Server with over 4 million historical messages was brought on-line and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control functions were fully operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what occurred that first week is nearly entirely a haze for me, but my management will not forget the urgency each of the team put in to help get our company back. I have been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."
Conclusion
A potential company-ending disaster was dodged due to top-tier experts, a wide array of IT skills, and close teamwork. Although in retrospect the ransomware virus incident detailed here could have been shut down with up-to-date security technology and security best practices, user and IT administrator training, and appropriate security procedures for data protection and proper patching controls, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get some sleep after we made it through the initial push. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, dinner is on me!"
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Akron a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services include modern AI capability to detect new strains of crypto-ransomware that can get past legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to automate the complete malware attack progression including filtering, detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that helps you prove compliance with government and industry information security standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also assist you to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS services automate and track your backup processes and allow non-disruptive backup and fast restoration of vital files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, human error, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide web-based management and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, track, reconfigure and debug their networking appliances such as switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept updated, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating complex management processes, WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that require important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so that all looming issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis tools to defend endpoint devices and physical and virtual servers against new malware attacks like ransomware and email phishing, which easily get by legacy signature-matching AV tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including protection, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Help Center services allow your information technology staff to outsource Support Desk services to Progent or divide responsibilities for support services transparently between your in-house support group and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent supplement to your core IT support group. Client access to the Service Desk, delivery of support services, escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the support database are consistent whether issues are taken care of by your core IT support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information network. In addition to maximizing the security and functionality of your IT environment, Progent's patch management services free up time for your IT staff to focus on more strategic projects and activities that derive the highest business value from your information network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a protected online account and enter your password you are requested to verify who you are on a device that only you have and that uses a different network channel. A broad selection of out-of-band devices can be used as this added means of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For details about Duo identity authentication services, go to Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing line of in-depth management reporting tools created to work with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Akron 24-Hour Crypto-Ransomware Cleanup Consulting, contact Progent at 800-462-8800 or go to Contact Progent.