Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an enterprise-level danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus frequent as yet unnamed viruses, not only do encryption of on-line information but also infiltrate most available system restores and backups. Data synched to the cloud can also be encrypted. In a poorly designed data protection solution, it can render any recovery hopeless and effectively knocks the datacenter back to square one.
Getting back programs and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted organization fights to contain the damage and remove the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware requires time to replicate, assaults are often launched on weekends, when successful penetrations in many cases take more time to identify. This multiplies the difficulty of rapidly mobilizing and organizing an experienced mitigation team.
Progent offers a variety of solutions for protecting businesses from ransomware attacks. These include staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with machine learning capabilities from SentinelOne to discover and disable new cyber threats rapidly. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the talent and perseverance to restore a breached environment as urgently as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the needed codes to unencrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the mission-critical components of your Information Technology environment. Without access to essential data backups, this calls for a wide range of skills, professional project management, and the capability to work 24x7 until the recovery project is over.
For two decades, Progent has provided professional IT services for businesses in Baltimore and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to quickly determine important systems and re-organize the remaining parts of your Information Technology system following a ransomware attack and assemble them into a functioning network.
Progent's security group deploys state-of-the-art project management tools to coordinate the complex recovery process. Progent knows the urgency of working rapidly and in concert with a customer's management and IT resources to assign priority to tasks and to put critical systems back on-line as soon as possible.
Client Story: A Successful Crypto-Ransomware Virus Restoration
A client contacted Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state cybercriminals, possibly adopting algorithms exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little ability to sustain disruption and is one of the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's backups had been online at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for good luck, but ultimately called Progent.
"I can't say enough about the support Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the criminal gangs except for the confidence the Progent group gave us. That you could get our messaging and essential applications back sooner than 1 week was beyond my wildest dreams. Every single consultant I talked with or messaged at Progent was totally committed on getting us back on-line and was working breakneck pace on our behalf."
Progent worked together with the client to quickly determine and prioritize the key systems that had to be recovered to make it possible to continue departmental functions:
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping the spread and clearing infected systems. Progent then started the process of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's financials and MRP applications utilized SQL Server, which requires Active Directory for authentication to the databases.
- Windows Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then completed reinstallations and hard drive recovery on critical applications. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was able to find local OST data files (Outlook Off-Line Data Files) on various desktop computers in order to recover mail messages. A not too old off-line backup of the businesses accounting/MRP systems made them able to recover these vital programs back online for users. Although a lot of work remained to recover fully from the Ryuk damage, the most important systems were restored rapidly:
"For the most part, the assembly line operation did not miss a beat and we produced all customer sales."
During the next month important milestones in the recovery process were accomplished through tight collaboration between Progent consultants and the customer:
- In-house web sites were restored with no loss of data.
- The MailStore Server containing more than four million historical emails was spun up and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 security appliance was installed and configured.
- 90% of the desktops and laptops were operational.
"Much of what happened that first week is nearly entirely a fog for me, but we will not soon forget the urgency all of you accomplished to give us our company back. I've been working with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a life saver."
A likely business catastrophe was evaded with top-tier experts, a broad spectrum of technical expertise, and close teamwork. Although upon completion of forensics the ransomware penetration detailed here should have been prevented with up-to-date security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get some sleep after we made it through the first week. All of you did an incredible job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Baltimore a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services include next-generation artificial intelligence technology to uncover zero-day variants of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.
For Baltimore 24/7/365 Crypto Recovery Support Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to address the entire threat progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with government and industry data security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup processes and enable non-disruptive backup and rapid recovery of critical files, apps, system images, and virtual machines. ProSight DPS helps you avoid data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user error, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to deliver web-based management and comprehensive protection for all your email traffic. The powerful structure of Email Guard combines a Cloud Protection Layer with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, optimize and debug their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and displays the configuration information of almost all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating time-consuming management processes, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating devices that require critical updates, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your IT system operating at peak levels by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management staff and your assigned Progent consultant so all looming problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate up to 50% of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to guard endpoints and servers and VMs against new malware attacks like ransomware and email phishing, which easily get by traditional signature-based AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including blocking, identification, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Service Center: Help Desk Managed Services
Progent's Support Center services enable your IT staff to outsource Support Desk services to Progent or split responsibilities for Help Desk services seamlessly between your in-house support team and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a smooth supplement to your core IT support staff. User access to the Help Desk, delivery of technical assistance, issue escalation, ticket creation and updates, efficiency measurement, and maintenance of the service database are consistent whether incidents are resolved by your in-house network support group, by Progent, or both. Read more about Progent's outsourced/shared Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer businesses of any size a versatile and affordable alternative for assessing, testing, scheduling, implementing, and tracking updates to your dynamic IT system. In addition to optimizing the security and reliability of your IT environment, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on more strategic projects and activities that deliver maximum business value from your information network. Learn more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication services utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a protected online account and give your password you are requested to confirm your identity via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used as this second form of authentication including a smartphone or wearable, a hardware token, a landline phone, etc. You can register several verification devices. For more information about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time management reporting utilities created to work with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.