Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyberplague that presents an extinction-level threat for organizations vulnerable to an attack. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause harm. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with frequent as yet unnamed viruses, not only encrypt online data files but also infiltrate many configured system backups. Data synchronized to cloud environments can also be corrupted. In a vulnerable data protection solution, this can render any recovery impossible and basically sets the datacenter back to square one.
Recovering services and information after a ransomware intrusion becomes a race against time as the targeted business tries its best to contain the damage, remove the ransomware, and resume business-critical activity. Since crypto-ransomware takes time to replicate, assaults are usually sprung at night, when attacks may take more time to uncover. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable mitigation team.
Progent offers a variety of help services for securing organizations from crypto-ransomware attacks. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with machine learning technology from SentinelOne to detect and suppress zero-day threats intelligently. Progent in addition offers the assistance of seasoned ransomware recovery professionals with the talent and commitment to reconstruct a breached network as urgently as possible.
Progent's Ransomware Recovery Help
Soon after a crypto-ransomware event, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the codes to decipher any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can be in the millions. The other path is to piece back together the mission-critical parts of your Information Technology environment. Absent access to complete data backups, this requires a wide range of IT skills, professional project management, and the ability to work continuously until the recovery project is finished.
For two decades, Progent has offered expert IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise gives Progent the skills to efficiently understand important systems and organize the surviving parts of your IT environment after a ransomware penetration and configure them into a functioning system.
Progent's security team of experts deploys best of breed project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of working swiftly and in concert with a customer's management and Information Technology resources to prioritize tasks and to put critical services back online as soon as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A business hired Progent after their company was penetrated by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored cybercriminals, suspected of adopting strategies leaked from the U.S. NSA organization. Ryuk targets specific companies with limited tolerance for disruption and is one of the most lucrative iterations of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end reached out to Progent.
"I can't thank you enough in regards to the help Progent provided us during the most fearful period of (our) company's survival. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail and key servers back into operation quicker than a week was something I thought impossible. Every single expert I worked with or e-mailed at Progent was hell bent on getting us restored and was working at all hours to bail us out."
Progent worked together with the client to quickly get our arms around and assign priority to the essential applications that had to be addressed to make it possible to continue departmental functions:
- Active Directory
- E-Mail
- MRP System
To get going, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the steps of rebuilding Microsoft Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not function without AD, and the customer's MRP system utilized Microsoft SQL, which requires Windows AD for access to the database.
In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then completed reinstallations and hard drive recovery of essential servers. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Offline Data Files) on user workstations and laptops in order to recover email messages. A not too old off-line backup of the businesses accounting software made them able to restore these vital applications back on-line. Although a lot of work still had to be done to recover fully from the Ryuk virus, core services were returned to operations rapidly:
"For the most part, the production operation never missed a beat and we produced all customer orders."
Throughout the following month key milestones in the restoration project were accomplished in tight cooperation between Progent engineers and the client:
- Self-hosted web sites were restored without losing any information.
- The MailStore Server exceeding 4 million archived emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully recovered.
- A new Palo Alto 850 firewall was set up.
- Ninety percent of the user PCs were functioning as before the incident.
"Much of what occurred those first few days is mostly a fog for me, but I will not soon forget the care each and every one of you accomplished to give us our business back. I have been working with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was a testament to your capabilities."
Conclusion
A probable business-killing disaster was evaded due to results-oriented professionals, a broad array of technical expertise, and tight teamwork. Although in post mortem the ransomware incident detailed here should have been prevented with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get rested after we got through the initial push. All of you did an impressive job, and if anyone is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Arlington a range of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate modern machine learning capability to uncover zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to automate the entire malware attack progression including filtering, identification, containment, cleanup, and forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate action. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with advanced backup software providers to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and enable transparent backup and fast restoration of critical files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or software glitches. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide web-based management and world-class security for all your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map, track, enhance and debug their networking appliances such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding devices that need important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the health of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent consultant so that all potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to guard endpoints as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud resources and provides a unified platform to manage the entire malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Help Center: Help Desk Managed Services
Progent's Support Desk services enable your IT group to offload Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house support staff and Progent's nationwide pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless supplement to your in-house IT support team. End user interaction with the Help Desk, delivery of technical assistance, problem escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the service database are cohesive whether issues are taken care of by your internal network support organization, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer businesses of all sizes a flexible and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic IT system. Besides maximizing the security and functionality of your computer network, Progent's patch management services permit your IT team to focus on line-of-business projects and tasks that derive the highest business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and enter your password you are requested to verify your identity on a unit that only you possess and that is accessed using a different network channel. A broad selection of out-of-band devices can be used for this added form of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You may register several validation devices. To learn more about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time and in-depth reporting tools designed to work with the industry's leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24-Hour Arlington CryptoLocker Removal Services, call Progent at 800-462-8800 or go to Contact Progent.