Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Versions of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict havoc. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with more unnamed viruses, not only do encryption of online data files but also infect many accessible system protection mechanisms. Information replicated to the cloud can also be rendered useless. In a poorly designed data protection solution, it can make automatic restoration hopeless and effectively knocks the network back to zero.
Restoring services and data following a ransomware attack becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the virus and to resume enterprise-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are usually sprung during nights and weekends, when successful penetrations may take longer to identify. This compounds the difficulty of rapidly assembling and organizing a qualified mitigation team.
Progent provides a range of services for securing businesses from ransomware attacks. Among these are team member training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with artificial intelligence technology from SentinelOne to detect and extinguish day-zero threats quickly. Progent also offers the services of veteran ransomware recovery professionals with the talent and perseverance to restore a compromised system as urgently as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt any of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the key elements of your Information Technology environment. Absent the availability of full system backups, this requires a wide complement of IT skills, top notch team management, and the capability to work non-stop until the task is done.
For two decades, Progent has offered professional IT services for businesses in Anaheim and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to efficiently determine important systems and organize the remaining components of your IT environment after a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's ransomware team deploys state-of-the-art project management systems to orchestrate the complicated recovery process. Progent understands the importance of acting rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to get key applications back online as soon as possible.
Client Case Study: A Successful Ransomware Attack Restoration
A customer engaged Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little or no ability to sustain disruption and is one of the most profitable examples of ransomware viruses. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end called Progent.
"I can't thank you enough about the support Progent gave us during the most stressful period of (our) businesses life. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent team afforded us. The fact that you were able to get our messaging and key applications back into operation in less than 1 week was beyond my wildest dreams. Every single person I spoke to or messaged at Progent was laser focused on getting us back online and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly identify and assign priority to the essential systems that needed to be addressed to make it possible to continue business operations:
To start, Progent adhered to Anti-virus event mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then initiated the work of recovering Microsoft Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not operate without Active Directory, and the customer's financials and MRP applications used Microsoft SQL, which depends on Windows AD for authentication to the information.
- Windows Active Directory
- Electronic Mail
In less than 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then accomplished reinstallations and storage recovery on the most important servers. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Data Files) on staff PCs to recover mail messages. A not too old off-line backup of the client's accounting/MRP systems made them able to return these essential programs back on-line. Although a large amount of work remained to recover fully from the Ryuk event, the most important services were recovered quickly:
"For the most part, the manufacturing operation never missed a beat and we delivered all customer shipments."
Over the following month critical milestones in the restoration project were completed through close collaboration between Progent consultants and the client:
- Internal web applications were returned to operation without losing any information.
- The MailStore Exchange Server containing more than 4 million archived messages was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory capabilities were 100% restored.
- A new Palo Alto Networks 850 firewall was installed.
- Ninety percent of the user PCs were back into operation.
"A lot of what was accomplished that first week is nearly entirely a blur for me, but my management will not soon forget the commitment each of you put in to help get our business back. I've been working with Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This situation was a life saver."
A probable business-ending disaster was avoided due to dedicated professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the crypto-ransomware virus attack detailed here should have been disabled with modern security systems and NIST Cybersecurity Framework best practices, user education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for letting me get some sleep after we got past the initial push. Everyone did an incredible effort, and if any of your team is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Anaheim a variety of remote monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services include modern AI capability to detect new variants of crypto-ransomware that are able to get past traditional signature-based security solutions.
For Anaheim 24x7x365 Crypto-Ransomware Repair Consulting, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including filtering, identification, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that allows you prove compliance with government and industry data protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent action. Progent's consultants can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and allow transparent backup and rapid recovery of critical files, apps, system images, and virtual machines. ProSight DPS helps you avoid data loss resulting from equipment failures, natural calamities, fire, malware such as ransomware, user error, ill-intentioned employees, or software bugs. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to deliver web-based control and comprehensive security for your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to map, track, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends notices when issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that require critical software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so that any potential problems can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to guard endpoints and physical and virtual servers against modern malware attacks like ransomware and email phishing, which routinely escape legacy signature-based AV products. Progent ASM services safeguard local and cloud resources and offers a single platform to manage the entire malware attack progression including protection, identification, containment, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Help Center: Support Desk Managed Services
Progent's Support Desk services enable your IT team to outsource Support Desk services to Progent or split activity for Help Desk services seamlessly between your internal support staff and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a transparent extension of your internal IT support resources. Client access to the Help Desk, delivery of support, issue escalation, trouble ticket creation and tracking, performance metrics, and management of the service database are cohesive regardless of whether issues are taken care of by your internal IT support group, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Service Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide businesses of all sizes a versatile and affordable solution for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your IT network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business projects and activities that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to verify your identity via a device that only you possess and that uses a different network channel. A broad selection of devices can be utilized as this added form of ID validation including a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate several validation devices. For details about ProSight Duo identity authentication services, go to Duo MFA two-factor authentication services for access security.