Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become an escalating cyberplague that presents an existential danger for organizations poorly prepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. Recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily as yet unnamed malware, not only encrypt online information but also infect many configured system backups. Files synched to cloud environments can also be ransomed. In a vulnerable environment, this can render any recovery hopeless and effectively knocks the network back to zero.
Recovering services and data following a ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain the damage and cleanup the virus and to restore enterprise-critical activity. Since ransomware takes time to replicate, assaults are often sprung during nights and weekends, when attacks may take longer to identify. This compounds the difficulty of promptly assembling and orchestrating a capable mitigation team.
Progent has a range of services for protecting organizations from ransomware penetrations. Among these are user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with AI technology from SentinelOne to detect and extinguish zero-day threats automatically. Progent in addition provides the services of seasoned ransomware recovery engineers with the track record and commitment to re-deploy a compromised system as urgently as possible.
Progent's Ransomware Recovery Help
Following a ransomware attack, paying the ransom in cryptocurrency does not ensure that criminal gangs will return the keys to decipher any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the key components of your IT environment. Without access to full data backups, this requires a wide complement of skills, top notch project management, and the ability to work non-stop until the recovery project is complete.
For two decades, Progent has offered expert Information Technology services for companies in Anaheim and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience affords Progent the capability to knowledgably understand critical systems and integrate the remaining components of your network system after a crypto-ransomware event and assemble them into a functioning network.
Progent's security team uses powerful project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of working swiftly and in unison with a customer's management and Information Technology team members to prioritize tasks and to get essential applications back on-line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Virus Recovery
A business engaged Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk targets specific businesses with little room for operational disruption and is among the most profitable instances of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the attack and were eventually encrypted. The client considered paying the ransom demand (more than $200,000) and praying for good luck, but in the end made the decision to use Progent.
"I can't speak enough about the care Progent provided us throughout the most stressful period of (our) company's life. We would have paid the hackers behind this attack except for the confidence the Progent experts afforded us. The fact that you could get our e-mail and production applications back on-line faster than one week was amazing. Each staff member I worked with or texted at Progent was hell bent on getting my company operational and was working at all hours to bail us out."
Progent worked with the customer to quickly understand and prioritize the most important systems that had to be addressed in order to restart departmental operations:
- Active Directory
- Microsoft Exchange
- Financials/MRP
To get going, Progent adhered to AV/Malware Processes event mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then began the steps of recovering Microsoft AD, the heart of enterprise networks built on Microsoft Windows Server technology. Exchange email will not work without AD, and the businesses' accounting and MRP system leveraged SQL Server, which requires Active Directory services for security authorization to the data.
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then performed setup and storage recovery of key servers. All Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on user desktop computers and laptops in order to recover mail messages. A recent offline backup of the businesses financials/MRP systems made it possible to recover these required services back online. Although a lot of work was left to recover fully from the Ryuk event, the most important services were restored quickly:
"For the most part, the manufacturing operation survived unscathed and we delivered all customer sales."
Over the next month important milestones in the recovery project were made in tight cooperation between Progent consultants and the customer:
- In-house web sites were restored with no loss of information.
- The MailStore Server containing more than four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory Control modules were completely operational.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the user desktops and notebooks were operational.
"Much of what was accomplished in the early hours is nearly entirely a haze for me, but our team will not forget the commitment each of the team accomplished to give us our company back. I've utilized Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."
Conclusion
A possible business extinction catastrophe was averted with results-oriented professionals, a wide range of IT skills, and tight collaboration. Although in hindsight the ransomware attack described here could have been disabled with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get some sleep after we got through the most critical parts. Everyone did an incredible effort, and if any of your team is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Anaheim a portfolio of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to detect new strains of crypto-ransomware that can escape detection by legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the entire threat progression including blocking, identification, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a selection of subscription-based offerings that provide backup-as-a-service. ProSight DPS products automate and track your data backup processes and enable non-disruptive backup and fast recovery of vital files, applications, system images, plus virtual machines. ProSight DPS helps you avoid data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or application glitches. Managed backup services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to provide centralized management and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further level of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, enhance and debug their networking appliances like routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that require critical updates, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your network running at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT personnel and your Progent engineering consultant so that all potential problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning tools to guard endpoint devices and physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. Progent ASM services protect local and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including blocking, identification, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Call Desk: Call Center Managed Services
Progent's Help Desk services permit your IT team to offload Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal support group and Progent's extensive roster of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your internal support team. Client interaction with the Service Desk, delivery of support, escalation, ticket generation and updates, performance measurement, and maintenance of the support database are cohesive whether incidents are resolved by your in-house network support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide organizations of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides optimizing the security and functionality of your IT network, Progent's patch management services allow your in-house IT staff to concentrate on more strategic initiatives and activities that derive the highest business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a secured application and enter your password you are requested to verify who you are via a device that only you possess and that is accessed using a different network channel. A broad range of devices can be utilized for this second means of ID validation including a smartphone or watch, a hardware/software token, a landline phone, etc. You can register multiple verification devices. To find out more about ProSight Duo identity validation services, visit Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth management reporting tools created to integrate with the industry's leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Anaheim Ransomware Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.