Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict havoc. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent as yet unnamed malware, not only encrypt on-line data but also infiltrate most accessible system protection mechanisms. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, it can make any restoration useless and effectively knocks the entire system back to square one.
Retrieving services and information after a ransomware outage becomes a sprint against the clock as the victim fights to stop lateral movement, eradicate the crypto-ransomware, and restore business-critical operations. Since ransomware requires time to move laterally, assaults are frequently sprung on weekends, when penetrations tend to take longer to discover. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable mitigation team.
Progent provides an assortment of solutions for securing businesses from crypto-ransomware attacks. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security gateways with artificial intelligence capabilities from SentinelOne to detect and disable zero-day cyber attacks quickly. Progent in addition offers the assistance of expert ransomware recovery consultants with the track record and commitment to rebuild a compromised network as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware invasion, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decrypt all your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions. The fallback is to setup from scratch the essential parts of your Information Technology environment. Absent access to complete data backups, this requires a wide range of skills, well-coordinated team management, and the ability to work continuously until the task is over.
For decades, Progent has provided professional IT services for companies throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise provides Progent the ability to knowledgably determine critical systems and re-organize the remaining pieces of your IT environment after a ransomware attack and assemble them into an operational system.
Progent's recovery team of experts utilizes top notch project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of acting rapidly and together with a client's management and Information Technology team members to prioritize tasks and to put essential applications back on line as fast as possible.
Client Story: A Successful Ransomware Penetration Restoration
A business sought out Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with little ability to sustain operational disruption and is one of the most lucrative iterations of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's information backups had been online at the time of the intrusion and were damaged. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately called Progent.
"I can't speak enough about the expertise Progent gave us during the most fearful period of (our) businesses survival. We would have paid the hackers behind this attack if not for the confidence the Progent group provided us. The fact that you were able to get our e-mail and important servers back on-line sooner than one week was earth shattering. Every single staff member I interacted with or messaged at Progent was urgently focused on getting my company operational and was working 24 by 7 on our behalf."
Progent worked with the client to rapidly identify and assign priority to the key elements that needed to be recovered in order to restart departmental operations:
- Windows Active Directory
- Exchange Server
- MRP System
To get going, Progent adhered to AV/Malware Processes event response industry best practices by halting lateral movement and removing active viruses. Progent then began the steps of restoring Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not operate without AD, and the customer's financials and MRP applications utilized Microsoft SQL Server, which needs Windows AD for access to the data.
Within 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery of key servers. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Off-Line Folder Files) on various workstations and laptops in order to recover mail information. A not too old off-line backup of the customer's financials/ERP systems made them able to recover these vital services back on-line. Although major work was left to recover completely from the Ryuk event, core systems were restored quickly:
"For the most part, the assembly line operation never missed a beat and we made all customer shipments."
Over the next couple of weeks critical milestones in the restoration project were accomplished in close collaboration between Progent engineers and the customer:
- Internal web applications were returned to operation without losing any information.
- The MailStore Exchange Server with over four million archived emails was restored to operations and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were completely recovered.
- A new Palo Alto 850 firewall was installed.
- Ninety percent of the desktop computers were operational.
"So much of what happened that first week is nearly entirely a blur for me, but our team will not soon forget the care each and every one of the team accomplished to help get our company back. I've been working together with Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
Conclusion
A possible company-ending disaster was averted with dedicated professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in post mortem the crypto-ransomware incident described here would have been identified and prevented with current security technology and NIST Cybersecurity Framework best practices, staff education, and properly executed incident response procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get rested after we made it over the initial push. Everyone did an impressive job, and if anyone is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Atlanta a range of remote monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning technology to detect zero-day strains of ransomware that are able to evade legacy signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the entire threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also help you to install and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup processes and enable transparent backup and fast restoration of critical files/folders, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to deliver web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device adds a further level of analysis for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, enhance and troubleshoot their connectivity appliances such as routers, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, locating devices that need important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT personnel and your Progent engineering consultant so that any potential problems can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to a different hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By cleaning up and organizing your IT documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based machine learning tools to defend endpoint devices and servers and VMs against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to address the complete threat progression including protection, identification, containment, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Help Desk: Support Desk Managed Services
Progent's Support Center managed services allow your information technology staff to offload Support Desk services to Progent or divide activity for Help Desk services transparently between your in-house network support staff and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless extension of your corporate network support organization. End user access to the Help Desk, delivery of support, problem escalation, ticket creation and tracking, performance metrics, and management of the support database are cohesive whether incidents are resolved by your in-house network support organization, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide businesses of all sizes a versatile and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your dynamic IT system. In addition to optimizing the security and reliability of your computer network, Progent's software/firmware update management services permit your in-house IT team to concentrate on line-of-business initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a secured online account and enter your password you are requested to verify your identity via a device that only you possess and that is accessed using a separate network channel. A broad range of devices can be utilized as this second form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple verification devices. To learn more about Duo identity validation services, go to Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time reporting utilities created to integrate with the industry's top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Atlanta 24/7 Crypto-Ransomware Cleanup Services, call Progent at 800-462-8800 or go to Contact Progent.