Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with frequent unnamed malware, not only do encryption of online data files but also infect many accessible system protection mechanisms. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, it can render automatic restoration hopeless and basically knocks the entire system back to zero.
Restoring applications and data after a crypto-ransomware intrusion becomes a sprint against the clock as the victim struggles to stop lateral movement and cleanup the ransomware and to resume business-critical activity. Since crypto-ransomware needs time to move laterally, assaults are frequently launched during weekends and nights, when successful penetrations typically take longer to discover. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced response team.
Progent offers an assortment of services for securing enterprises from ransomware events. These include user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities from SentinelOne to detect and suppress day-zero cyber threats automatically. Progent also offers the services of veteran ransomware recovery consultants with the track record and perseverance to re-deploy a breached network as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decrypt any of your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the vital components of your IT environment. Absent the availability of full information backups, this calls for a wide range of IT skills, top notch project management, and the ability to work continuously until the recovery project is done.
For two decades, Progent has provided expert Information Technology services for businesses in Anchorage and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise provides Progent the ability to efficiently understand critical systems and integrate the remaining parts of your Information Technology environment following a ransomware event and assemble them into an operational network.
Progent's security team of experts has powerful project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put critical systems back on line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Attack Response
A business contacted Progent after their organization was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored criminal gangs, possibly adopting techniques exposed from the U.S. NSA organization. Ryuk targets specific organizations with little or no tolerance for disruption and is one of the most lucrative iterations of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with about 500 workers. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.
"I cannot say enough about the expertise Progent gave us during the most critical period of (our) company's life. We most likely would have paid the Hackers if not for the confidence the Progent group gave us. That you could get our e-mail and important applications back online sooner than 1 week was beyond my wildest dreams. Every single staff member I got help from or messaged at Progent was totally committed on getting our company operational and was working non-stop on our behalf."
Progent worked together with the client to rapidly get our arms around and prioritize the critical systems that had to be addressed to make it possible to restart business operations:
- Microsoft Active Directory
- Microsoft Exchange Server
- Accounting/MRP
To get going, Progent followed Anti-virus penetration mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the process of bringing back online Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not work without AD, and the customer's accounting and MRP applications utilized Microsoft SQL, which requires Windows AD for security authorization to the database.
In less than 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on needed applications. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Email Off-Line Data Files) on team workstations to recover email data. A recent off-line backup of the customer's accounting systems made them able to restore these required applications back servicing users. Although a lot of work was left to recover fully from the Ryuk event, essential systems were restored quickly:
"For the most part, the assembly line operation did not miss a beat and we did not miss any customer orders."
During the following month critical milestones in the recovery process were accomplished through close collaboration between Progent consultants and the customer:
- Internal web sites were returned to operation without losing any data.
- The MailStore Server with over 4 million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
- A new Palo Alto 850 security appliance was deployed.
- Most of the desktops and laptops were functioning as before the incident.
"So much of what happened that first week is nearly entirely a haze for me, but I will not soon forget the countless hours each of the team put in to give us our business back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This event was a stunning achievement."
Conclusion
A likely business-ending catastrophe was averted due to hard-working experts, a broad array of knowledge, and close teamwork. Although upon completion of forensics the ransomware incident detailed here could have been identified and disabled with current security technology solutions and security best practices, user education, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we made it through the initial fire. All of you did an incredible effort, and if any of your guys is around the Chicago area, dinner is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Anchorage a variety of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include modern machine learning technology to detect zero-day variants of ransomware that can evade legacy signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily get by legacy signature-based AV tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the complete threat progression including blocking, identification, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that addresses your company's specific needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and allow non-disruptive backup and rapid restoration of important files/folders, applications, images, and virtual machines. ProSight DPS lets you protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to deliver centralized control and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a further layer of analysis for incoming email. For outgoing email, the local security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that need important updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT personnel and your Progent engineering consultant so that any looming issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can save up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching AV products. Progent ASM services safeguard local and cloud resources and provides a single platform to automate the entire threat progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Help Desk: Call Center Managed Services
Progent's Call Desk managed services permit your IT staff to offload Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house support staff and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless extension of your in-house network support team. End user access to the Service Desk, provision of technical assistance, problem escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your internal network support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Service Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer organizations of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and tracking updates to your dynamic information system. Besides optimizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your IT staff to focus on line-of-business projects and tasks that deliver maximum business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Android, and other personal devices. With 2FA, when you log into a secured online account and enter your password you are asked to confirm who you are via a device that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be used for this second form of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For details about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time management reporting plug-ins designed to integrate with the industry's top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Anchorage 24/7 Crypto-Ransomware Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.