Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for organizations unprepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to cause destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus daily unnamed newcomers, not only encrypt online data but also infiltrate all configured system protection mechanisms. Information synched to the cloud can also be ransomed. In a poorly architected environment, this can render automated restoration impossible and basically knocks the entire system back to zero.
Getting back on-line programs and information after a ransomware attack becomes a race against time as the targeted business fights to stop the spread and cleanup the ransomware and to resume mission-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are frequently launched on weekends, when successful attacks in many cases take more time to recognize. This multiplies the difficulty of rapidly assembling and coordinating an experienced response team.
Progent offers a range of services for protecting businesses from crypto-ransomware events. Among these are staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security gateways with machine learning capabilities from SentinelOne to discover and disable new threats intelligently. Progent in addition can provide the assistance of expert crypto-ransomware recovery professionals with the track record and perseverance to restore a compromised network as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to unencrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the essential components of your IT environment. Without access to complete information backups, this calls for a broad complement of skill sets, top notch team management, and the capability to work non-stop until the recovery project is completed.
For two decades, Progent has offered certified expert Information Technology services for businesses in Anchorage and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise gives Progent the skills to rapidly identify necessary systems and integrate the remaining parts of your IT environment after a crypto-ransomware penetration and configure them into a functioning system.
Progent's recovery group utilizes top notch project management applications to orchestrate the complex restoration process. Progent knows the importance of working swiftly and in concert with a customer's management and Information Technology staff to prioritize tasks and to put key systems back on line as soon as humanly possible.
Client Story: A Successful Ransomware Penetration Response
A small business sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been created by North Korean state cybercriminals, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk goes after specific organizations with little room for disruption and is among the most profitable versions of ransomware viruses. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with about 500 employees. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (exceeding $200K) and praying for the best, but in the end engaged Progent.
"I can't thank you enough about the help Progent provided us during the most stressful period of (our) company's existence. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent team provided us. That you could get our e-mail and essential applications back into operation in less than one week was amazing. Each person I got help from or texted at Progent was urgently focused on getting us working again and was working at all hours on our behalf."
Progent worked with the client to quickly understand and prioritize the mission critical applications that had to be restored in order to resume business functions:
To get going, Progent adhered to Anti-virus event mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then began the task of bringing back online Microsoft AD, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customer's MRP software used SQL Server, which requires Active Directory services for access to the information.
- Active Directory
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and storage recovery on mission critical applications. All Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on team workstations and laptops in order to recover mail information. A recent off-line backup of the businesses financials/ERP systems made it possible to return these required applications back online. Although a large amount of work remained to recover totally from the Ryuk damage, core systems were restored quickly:
"For the most part, the production manufacturing operation showed little impact and we made all customer orders."
Over the next month key milestones in the recovery project were completed in close collaboration between Progent team members and the customer:
- In-house web applications were brought back up without losing any data.
- The MailStore Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
- CRM/Orders/Invoicing/AP/AR/Inventory modules were fully functional.
- A new Palo Alto 850 security appliance was brought online.
- Most of the desktop computers were operational.
"A lot of what happened those first few days is mostly a fog for me, but I will not forget the care all of the team put in to give us our business back. I have utilized Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a stunning achievement."
A possible business-ending catastrophe was avoided through the efforts of top-tier experts, a wide array of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware virus penetration detailed here should have been blocked with up-to-date cyber security technology solutions and best practices, team education, and appropriate security procedures for information protection and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), thank you for allowing me to get rested after we got through the most critical parts. Everyone did an amazing effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Anchorage a variety of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to evade legacy signature-based anti-virus products.
For Anchorage 24-7 Crypto Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to automate the complete threat progression including protection, identification, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you demonstrate compliance with government and industry information security standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent action. Progent's consultants can also assist your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup operations and allow transparent backup and fast restoration of important files, apps, images, plus virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious employees, or application bugs. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security vendors to deliver web-based control and world-class protection for your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of inspection for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, optimize and debug their connectivity hardware like routers and switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that network diagrams are kept current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating complex management activities, WAN Watch can cut hours off common chores like network mapping, expanding your network, finding appliances that need important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning technology to defend endpoint devices as well as servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a single platform to address the complete threat progression including protection, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Support Center services allow your IT staff to offload Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal network support staff and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth supplement to your in-house support group. End user interaction with the Service Desk, delivery of technical assistance, issue escalation, trouble ticket generation and tracking, efficiency metrics, and management of the support database are consistent whether incidents are resolved by your internal IT support resources, by Progent's team, or both. Learn more about Progent's outsourced/shared Service Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and affordable alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information network. Besides optimizing the security and reliability of your IT network, Progent's software/firmware update management services permit your IT team to concentrate on more strategic projects and tasks that deliver the highest business value from your information network. Read more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and give your password you are asked to verify who you are on a unit that only you possess and that uses a separate network channel. A wide selection of devices can be used as this second form of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. For more information about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.