Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an existential threat for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause damage. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus daily unnamed viruses, not only do encryption of on-line data but also infiltrate all configured system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can render any restoration useless and effectively sets the entire system back to zero.
Getting back services and data following a ransomware event becomes a sprint against the clock as the victim tries its best to contain the damage, remove the virus, and restore mission-critical operations. Because ransomware requires time to replicate, penetrations are frequently launched at night, when penetrations are likely to take longer to identify. This compounds the difficulty of promptly marshalling and orchestrating an experienced mitigation team.
Progent offers an assortment of solutions for protecting businesses from ransomware attacks. These include staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security solutions with AI capabilities from SentinelOne to identify and suppress zero-day threats automatically. Progent also offers the assistance of seasoned ransomware recovery consultants with the talent and perseverance to re-deploy a compromised network as quickly as possible.
Progent's Ransomware Restoration Services
Following a ransomware event, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decipher all your data. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The alternative is to re-install the mission-critical elements of your Information Technology environment. Absent the availability of full information backups, this requires a wide complement of skill sets, top notch team management, and the willingness to work non-stop until the recovery project is completed.
For decades, Progent has provided certified expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise affords Progent the capability to knowledgably understand important systems and consolidate the remaining components of your IT system after a ransomware penetration and assemble them into a functioning network.
Progent's recovery team deploys powerful project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working quickly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to get key applications back on-line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Incident Response
A customer sought out Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state hackers, possibly using algorithms exposed from the U.S. NSA organization. Ryuk targets specific companies with little tolerance for disruption and is among the most lucrative examples of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago with about 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.
"I can't thank you enough about the care Progent provided us during the most critical period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team provided us. The fact that you were able to get our messaging and critical applications back online faster than 1 week was earth shattering. Every single staff member I spoke to or texted at Progent was laser focused on getting us restored and was working day and night on our behalf."
Progent worked with the client to quickly get our arms around and assign priority to the critical areas that needed to be restored in order to restart departmental operations:
- Windows Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes event response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the steps of recovering Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not function without AD, and the businesses' MRP system used Microsoft SQL, which requires Active Directory services for authentication to the data.
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery of mission critical servers. All Exchange schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Offline Folder Files) on user workstations to recover mail data. A not too old offline backup of the customer's financials/MRP systems made them able to return these required applications back online. Although a lot of work needed to be completed to recover completely from the Ryuk event, the most important systems were restored rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer orders."
During the next couple of weeks important milestones in the restoration project were made through tight collaboration between Progent engineers and the client:
- In-house web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was brought on-line and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully recovered.
- A new Palo Alto Networks 850 security appliance was installed.
- 90% of the user desktops and notebooks were fully operational.
"A huge amount of what happened during the initial response is mostly a blur for me, but I will not soon forget the care each and every one of you put in to help get our business back. I've been working together with Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This time was no exception but maybe more Herculean."
Conclusion
A probable business-killing catastrophe was averted with top-tier professionals, a wide spectrum of IT skills, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration described here should have been identified and prevented with advanced cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate incident response procedures for backup and proper patching controls, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), I'm grateful for allowing me to get some sleep after we got through the first week. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Anaheim a variety of online monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services incorporate modern artificial intelligence technology to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you prove compliance with legal and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore technology providers to create ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup operations and enable transparent backup and fast recovery of important files/folders, applications, system images, and VMs. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to deliver web-based management and world-class security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of inspection for inbound email. For outgoing email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, reconfigure and debug their networking appliances such as routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, finding appliances that require important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent consultant so that any potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can save as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior analysis tools to defend endpoints as well as servers and VMs against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to automate the complete malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
Progent's Call Center services allow your information technology team to outsource Help Desk services to Progent or split activity for Service Desk support seamlessly between your in-house support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless extension of your corporate network support team. Client access to the Service Desk, delivery of support, issue escalation, trouble ticket creation and updates, performance metrics, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your corporate IT support group, by Progent, or both. Learn more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information system. Besides maximizing the security and reliability of your computer network, Progent's patch management services allow your in-house IT team to focus on line-of-business initiatives and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected application and give your password you are requested to confirm your identity on a device that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You can register multiple verification devices. To learn more about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time and in-depth management reporting tools designed to work with the industry's top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Anaheim 24/7 Ransomware Removal Services, call Progent at 800-462-8800 or go to Contact Progent.