Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations poorly prepared for an attack. Multiple generations of ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still inflict damage. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with daily unnamed newcomers, not only encrypt on-line data files but also infiltrate any configured system protection mechanisms. Files replicated to the cloud can also be corrupted. In a poorly designed system, this can make automated restoration impossible and effectively sets the datacenter back to zero.
Restoring programs and information after a ransomware event becomes a sprint against the clock as the victim fights to stop lateral movement and cleanup the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware takes time to spread, penetrations are often sprung during nights and weekends, when penetrations may take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.
Progent has a variety of support services for securing enterprises from ransomware attacks. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security solutions with machine learning technology from SentinelOne to detect and quarantine zero-day threats rapidly. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the talent and perseverance to rebuild a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the codes to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the critical components of your Information Technology environment. Absent the availability of essential system backups, this requires a wide range of skill sets, top notch team management, and the capability to work 24x7 until the recovery project is done.
For twenty years, Progent has made available expert Information Technology services for companies in Baltimore and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the skills to efficiently identify necessary systems and integrate the remaining pieces of your Information Technology environment after a ransomware attack and rebuild them into an operational system.
Progent's security group uses powerful project management tools to orchestrate the complicated recovery process. Progent knows the importance of working swiftly and together with a customer's management and Information Technology team members to assign priority to tasks and to get essential systems back on line as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Response
A client contacted Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored hackers, suspected of using strategies leaked from the United States National Security Agency. Ryuk targets specific companies with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware malware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for good luck, but in the end utilized Progent.
"I cannot tell you enough about the care Progent provided us during the most stressful period of (our) company's life. We may have had to pay the criminal gangs if it wasn't for the confidence the Progent group afforded us. The fact that you could get our e-mail and critical applications back on-line faster than 1 week was something I thought impossible. Each staff member I worked with or communicated with at Progent was absolutely committed on getting our system up and was working non-stop to bail us out."
Progent worked hand in hand the customer to rapidly identify and prioritize the critical applications that needed to be restored to make it possible to continue business functions:
To get going, Progent adhered to Anti-virus penetration mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the steps of restoring Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not function without Windows AD, and the customer's accounting and MRP applications used Microsoft SQL Server, which requires Windows AD for authentication to the databases.
- Active Directory (AD)
- Microsoft Exchange Email
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery of key servers. All Exchange schema and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Off-Line Data Files) on team workstations and laptops to recover mail data. A not too old offline backup of the customer's accounting software made it possible to return these vital applications back online. Although a lot of work was left to recover completely from the Ryuk damage, critical systems were restored quickly:
"For the most part, the assembly line operation survived unscathed and we made all customer sales."
Over the following couple of weeks key milestones in the recovery process were achieved through tight cooperation between Progent team members and the client:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Server containing more than four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were completely restored.
- A new Palo Alto 850 security appliance was installed.
- 90% of the desktops and laptops were back into operation.
"A lot of what happened that first week is nearly entirely a fog for me, but I will not soon forget the urgency each of the team put in to give us our company back. I have trusted Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."
A possible business extinction catastrophe was avoided with results-oriented professionals, a wide range of knowledge, and close collaboration. Although in post mortem the ransomware attack described here would have been prevented with current security systems and best practices, team education, and appropriate incident response procedures for information protection and applying software patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for allowing me to get rested after we got past the initial push. All of you did an amazing effort, and if any of your guys is around the Chicago area, dinner is my treat!"
To review or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Baltimore a range of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.
For 24-7 Baltimore Crypto Remediation Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including filtering, identification, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services deliver affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge tools packaged within one agent accessible from a unified console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with legal and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and allow transparent backup and rapid restoration of vital files/folders, applications, images, and VMs. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, user error, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security companies to deliver centralized management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of inspection for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, enhance and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, copies and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are detected. By automating tedious management processes, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating devices that require critical updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that all potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based analysis tools to guard endpoint devices and physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. Progent ASM services protect local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Help Center: Support Desk Managed Services
Progent's Support Center services enable your information technology group to offload Help Desk services to Progent or divide activity for Help Desk services seamlessly between your in-house support team and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth supplement to your in-house IT support team. Client access to the Service Desk, provision of support, escalation, ticket creation and tracking, performance measurement, and maintenance of the service database are consistent regardless of whether issues are taken care of by your internal network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Help Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving IT system. Besides maximizing the protection and reliability of your IT network, Progent's patch management services free up time for your IT team to focus on line-of-business projects and tasks that deliver the highest business value from your information network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with Apple iOS, Google Android, and other personal devices. With 2FA, when you sign into a protected online account and enter your password you are asked to verify who you are via a device that only you have and that uses a separate network channel. A broad selection of devices can be utilized as this second form of ID validation such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. For more information about Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services for access security.