Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for organizations vulnerable to an assault. Different iterations of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to cause destruction. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus daily unnamed malware, not only encrypt online data files but also infect most accessible system protection. Data synchronized to cloud environments can also be corrupted. In a poorly designed system, it can make automatic restoration impossible and basically knocks the network back to square one.
Restoring programs and information after a ransomware intrusion becomes a race against time as the targeted business tries its best to contain and cleanup the virus and to restore mission-critical operations. Since ransomware takes time to move laterally, attacks are often sprung during nights and weekends, when penetrations tend to take more time to recognize. This multiplies the difficulty of promptly assembling and orchestrating a capable response team.
Progent provides an assortment of services for protecting businesses from ransomware penetrations. Among these are staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security appliances with artificial intelligence capabilities from SentinelOne to identify and extinguish new cyber attacks quickly. Progent in addition offers the assistance of expert crypto-ransomware recovery engineers with the track record and perseverance to reconstruct a compromised system as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the keys to decrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the mission-critical components of your Information Technology environment. Absent access to essential data backups, this calls for a wide complement of skills, top notch team management, and the willingness to work continuously until the task is completed.
For twenty years, Progent has made available certified expert IT services for businesses in Arlington and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience affords Progent the ability to quickly ascertain important systems and consolidate the remaining pieces of your IT system following a crypto-ransomware attack and rebuild them into an operational network.
Progent's security group utilizes best of breed project management systems to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and in unison with a customer's management and IT resources to assign priority to tasks and to put essential applications back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Attack Response
A business engaged Progent after their network system was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, suspected of using techniques exposed from the U.S. National Security Agency. Ryuk targets specific companies with little room for operational disruption and is one of the most lucrative examples of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago with around 500 employees. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the attack and were encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end brought in Progent.
"I can't speak enough about the expertise Progent gave us during the most stressful period of (our) businesses life. We would have paid the Hackers except for the confidence the Progent experts provided us. That you could get our e-mail system and production servers back online sooner than 1 week was earth shattering. Each person I worked with or e-mailed at Progent was absolutely committed on getting us back online and was working all day and night on our behalf."
Progent worked with the client to rapidly assess and prioritize the mission critical elements that needed to be restored in order to resume departmental functions:
- Microsoft Active Directory
- Electronic Messaging
- Financials/MRP
To get going, Progent adhered to ransomware event response industry best practices by stopping lateral movement and removing active viruses. Progent then began the work of bringing back online Windows Active Directory, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the client's financials and MRP software leveraged Microsoft SQL, which depends on Active Directory services for authentication to the data.
Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery of key servers. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Offline Folder Files) on team workstations in order to recover mail data. A not too old offline backup of the client's financials/MRP software made them able to recover these vital services back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, critical systems were restored rapidly:
"For the most part, the production operation was never shut down and we made all customer sales."
During the next few weeks key milestones in the recovery process were achieved in close cooperation between Progent team members and the client:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Exchange Server containing more than four million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent restored.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the user workstations were operational.
"So much of what transpired during the initial response is mostly a fog for me, but we will not forget the commitment each and every one of your team accomplished to help get our company back. I've trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This event was a stunning achievement."
Conclusion
A probable enterprise-killing disaster was averted with hard-working experts, a broad range of knowledge, and close collaboration. Although in retrospect the ransomware incident described here could have been prevented with current security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and appropriate security procedures for data backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for letting me get some sleep after we made it past the first week. All of you did an incredible job, and if any of your team is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Arlington a variety of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services include next-generation AI technology to uncover new strains of ransomware that can escape detection by traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to automate the complete malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help your company to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with leading backup software providers to create ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and allow transparent backup and fast recovery of important files/folders, apps, system images, and VMs. ProSight DPS helps you protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned insiders, or software bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to deliver centralized management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, track, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are always current, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends notices when issues are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, finding devices that require critical updates, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system running at peak levels by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management staff and your Progent consultant so that any looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior analysis technology to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud resources and offers a single platform to automate the entire malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Center: Call Center Managed Services
Progent's Support Center managed services enable your information technology group to offload Support Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house support staff and Progent's extensive roster of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a seamless extension of your internal IT support group. Client interaction with the Service Desk, delivery of support services, escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the support database are cohesive whether incidents are taken care of by your internal IT support organization, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide businesses of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT network. In addition to maximizing the protection and reliability of your IT environment, Progent's patch management services permit your in-house IT staff to focus on more strategic projects and activities that deliver the highest business value from your network. Learn more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against password theft by using two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured application and enter your password you are asked to confirm who you are on a device that only you have and that is accessed using a different network channel. A wide range of out-of-band devices can be used as this second means of authentication including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register multiple verification devices. For details about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of in-depth reporting tools designed to integrate with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Arlington 24x7 Crypto-Ransomware Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.