Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an existential danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as additional unnamed malware, not only encrypt online files but also infiltrate most accessible system protection. Information replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable system, this can make automated restore operations impossible and effectively knocks the entire system back to zero.
Recovering programs and data following a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to stop the spread, clear the ransomware, and restore enterprise-critical activity. Due to the fact that crypto-ransomware needs time to spread, attacks are often sprung during weekends and nights, when attacks are likely to take longer to identify. This multiplies the difficulty of quickly marshalling and organizing an experienced mitigation team.
Progent provides an assortment of services for protecting businesses from ransomware attacks. These include staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security solutions with AI capabilities from SentinelOne to identify and suppress day-zero threats automatically. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the talent and perseverance to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the keys to decipher any of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The alternative is to piece back together the vital components of your Information Technology environment. Without access to full information backups, this calls for a broad range of skill sets, well-coordinated project management, and the willingness to work non-stop until the job is done.
For twenty years, Progent has provided certified expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience provides Progent the capability to efficiently determine critical systems and organize the remaining pieces of your computer network environment following a ransomware penetration and rebuild them into a functioning network.
Progent's security group utilizes top notch project management applications to coordinate the sophisticated restoration process. Progent knows the importance of working swiftly and together with a client's management and Information Technology staff to prioritize tasks and to get essential services back online as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Virus Restoration
A small business engaged Progent after their network was taken over by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored hackers, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with little room for operational disruption and is one of the most profitable versions of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago and has around 500 workers. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end reached out to Progent.
"I cannot say enough about the care Progent gave us throughout the most fearful period of (our) businesses survival. We most likely would have paid the cyber criminals if not for the confidence the Progent experts provided us. The fact that you were able to get our messaging and production servers back on-line in less than seven days was something I thought impossible. Every single expert I got help from or texted at Progent was totally committed on getting my company operational and was working all day and night to bail us out."
Progent worked with the client to rapidly identify and prioritize the most important applications that had to be recovered to make it possible to continue business operations:
- Microsoft Active Directory
- Microsoft Exchange Email
- Accounting/MRP
To get going, Progent adhered to AV/Malware Processes incident response best practices by stopping the spread and disinfecting systems. Progent then initiated the steps of recovering Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange email will not operate without Active Directory, and the businesses' financials and MRP system leveraged SQL Server, which requires Active Directory for security authorization to the databases.
Within two days, Progent was able to recover Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery of needed applications. All Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers in order to recover mail data. A not too old offline backup of the client's accounting/ERP software made it possible to return these required applications back online. Although significant work still had to be done to recover totally from the Ryuk attack, core services were returned to operations quickly:
"For the most part, the production line operation was never shut down and we made all customer sales."
Throughout the next few weeks key milestones in the restoration process were made in tight collaboration between Progent team members and the customer:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Server exceeding 4 million historical emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were completely operational.
- A new Palo Alto 850 security appliance was set up.
- Nearly all of the desktops and laptops were back into operation.
"A huge amount of what was accomplished that first week is mostly a blur for me, but my team will not soon forget the urgency each of the team accomplished to help get our company back. I've entrusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This situation was a Herculean accomplishment."
Conclusion
A likely business catastrophe was avoided due to hard-working experts, a wide spectrum of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here should have been disabled with current cyber security technology and security best practices, staff education, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for making it so I could get rested after we got past the most critical parts. Everyone did an impressive effort, and if anyone that helped is around the Chicago area, dinner is on me!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Anchorage a portfolio of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate next-generation AI technology to detect new variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management personnel and your Progent consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-driven platform for monitoring and managing your network, server, and desktop devices by providing tools for performing common time-consuming jobs. These include health checking, patch management, automated repairs, endpoint configuration, backup and restore, A/V protection, secure remote access, built-in and custom scripts, resource inventory, endpoint profile reporting, and troubleshooting help. If ProSight LAN Watch with NinjaOne RMM identifies a serious issue, it transmits an alarm to your designated IT management personnel and your Progent consultant so potential problems can be taken care of before they interfere with productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, track, optimize and debug their networking appliances such as routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that require important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time and in-depth reporting tools created to work with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with leading backup technology providers to create ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your backup processes and allow non-disruptive backup and rapid recovery of critical files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to deliver web-based control and world-class protection for all your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Google Android, and other personal devices. With Duo 2FA, when you sign into a secured application and enter your password you are asked to confirm your identity via a unit that only you possess and that is accessed using a different network channel. A broad range of out-of-band devices can be used as this added means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may designate several verification devices. For details about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.
- Outsourced/Co-managed Help Desk: Support Desk Managed Services
Progent's Support Desk services permit your IT team to offload Call Center services to Progent or split activity for Service Desk support transparently between your in-house network support team and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your core support team. User access to the Service Desk, provision of technical assistance, issue escalation, ticket creation and updates, performance measurement, and maintenance of the support database are consistent whether incidents are resolved by your in-house IT support staff, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Center services.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based analysis tools to defend endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to address the complete threat lifecycle including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer businesses of any size a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. Besides optimizing the security and reliability of your computer network, Progent's software/firmware update management services allow your IT team to focus on line-of-business initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's patch management support services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to address the complete malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer economical in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also assist your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
For 24x7 Anchorage Ransomware Repair Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.