Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict harm. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with frequent as yet unnamed newcomers, not only do encryption of online information but also infect all configured system backups. Files replicated to cloud environments can also be ransomed. In a poorly architected data protection solution, this can render automated restoration useless and effectively sets the entire system back to zero.
Recovering services and information following a crypto-ransomware attack becomes a race against the clock as the victim struggles to contain the damage, eradicate the ransomware, and restore business-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are often launched on weekends, when attacks are likely to take longer to detect. This multiplies the difficulty of promptly assembling and organizing a qualified mitigation team.
Progent makes available an assortment of services for securing businesses from crypto-ransomware events. Among these are team member training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with artificial intelligence capabilities from SentinelOne to discover and disable zero-day cyber threats intelligently. Progent in addition offers the assistance of seasoned crypto-ransomware recovery professionals with the talent and commitment to restore a compromised network as rapidly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware invasion, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will provide the keys to decipher any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The fallback is to setup from scratch the key parts of your IT environment. Without the availability of essential information backups, this requires a wide complement of IT skills, professional project management, and the capability to work 24x7 until the task is over.
For two decades, Progent has offered certified expert IT services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience affords Progent the skills to rapidly determine important systems and consolidate the surviving parts of your IT system after a ransomware event and configure them into an operational system.
Progent's ransomware team of experts has state-of-the-art project management applications to coordinate the complex restoration process. Progent knows the urgency of working swiftly and in unison with a customer's management and Information Technology staff to prioritize tasks and to get the most important services back on-line as soon as humanly possible.
Business Case Study: A Successful Ransomware Incident Recovery
A small business contacted Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored cybercriminals, possibly adopting strategies exposed from the U.S. National Security Agency. Ryuk targets specific businesses with little or no room for operational disruption and is one of the most profitable versions of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in the Chicago metro area with about 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.
"I can't thank you enough about the care Progent gave us throughout the most fearful period of (our) businesses life. We had little choice but to pay the Hackers if it wasn't for the confidence the Progent group gave us. That you were able to get our e-mail and production servers back into operation in less than one week was earth shattering. Each consultant I got help from or e-mailed at Progent was absolutely committed on getting my company operational and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly assess and assign priority to the key elements that had to be addressed in order to resume departmental functions:
- Active Directory
- Electronic Messaging
- Financials/MRP
To begin, Progent adhered to Anti-virus penetration mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the steps of recovering Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not operate without Active Directory, and the customer's accounting and MRP system utilized SQL Server, which requires Active Directory for access to the information.
In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery on mission critical applications. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Folder Files) on user PCs and laptops in order to recover mail information. A recent offline backup of the customer's accounting systems made it possible to recover these required services back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk virus, critical services were recovered quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer deliverables."
Over the next few weeks critical milestones in the recovery process were made in tight collaboration between Progent engineers and the client:
- Self-hosted web applications were brought back up without losing any data.
- The MailStore Server with over four million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"Much of what was accomplished in the initial days is mostly a haze for me, but my management will not soon forget the dedication each and every one of your team put in to give us our company back. I have entrusted Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."
Conclusion
A probable enterprise-killing disaster was avoided through the efforts of results-oriented experts, a wide spectrum of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware penetration detailed here should have been identified and prevented with current cyber security technology solutions and security best practices, staff training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we got past the initial push. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Albany a portfolio of online monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services utilize modern machine learning technology to detect new variants of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management staff and your assigned Progent consultant so any potential problems can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based platform for managing your network, server, and desktop devices by offering an environment for streamlining common tedious tasks. These can include health monitoring, update management, automated repairs, endpoint deployment, backup and restore, A/V response, remote access, standard and custom scripts, resource inventory, endpoint status reports, and debugging assistance. If ProSight LAN Watch with NinjaOne RMM uncovers a serious issue, it sends an alert to your specified IT personnel and your Progent technical consultant so that emerging problems can be fixed before they impact productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, track, reconfigure and debug their connectivity hardware like routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that require important software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time reporting plug-ins designed to work with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and track your backup processes and enable non-disruptive backup and rapid recovery of important files, apps, system images, plus virtual machines. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or software glitches. Managed backup services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to provide web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity confirmation with Apple iOS, Android, and other personal devices. Using Duo 2FA, when you log into a secured application and give your password you are asked to verify who you are on a unit that only you have and that is accessed using a different network channel. A broad selection of devices can be used as this added form of authentication such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For more information about ProSight Duo two-factor identity validation services, visit Duo MFA two-factor authentication services.
- Progent's Outsourced/Shared Call Center: Support Desk Managed Services
Progent's Help Center managed services allow your IT staff to outsource Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your in-house support staff and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a smooth extension of your corporate IT support group. User interaction with the Service Desk, delivery of support, issue escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your core IT support group, by Progent, or both. Learn more about Progent's outsourced/co-managed Help Desk services.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to defend endpoints as well as servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. Progent ASM services protect local and cloud-based resources and provides a unified platform to manage the entire threat lifecycle including filtering, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Patch Management: Patch Management Services
Progent's support services for patch management provide businesses of all sizes a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your in-house IT staff to concentrate on line-of-business projects and activities that derive maximum business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to manage the complete threat lifecycle including protection, detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.
For 24/7/365 Albany Crypto-Ransomware Removal Help, call Progent at 800-462-8800 or go to Contact Progent.