Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for businesses unprepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus daily as yet unnamed newcomers, not only do encryption of online data files but also infect most configured system backup. Information synchronized to the cloud can also be encrypted. In a poorly designed system, this can render any restore operations useless and basically knocks the entire system back to square one.
Getting back online services and data following a crypto-ransomware event becomes a race against time as the targeted business tries its best to contain the damage, clear the ransomware, and resume mission-critical activity. Because ransomware needs time to spread, assaults are usually launched at night, when successful attacks tend to take more time to recognize. This multiplies the difficulty of promptly mobilizing and orchestrating a capable mitigation team.
Progent offers a range of services for securing businesses from ransomware attacks. These include staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence technology from SentinelOne to discover and suppress new cyber attacks quickly. Progent also can provide the services of veteran ransomware recovery engineers with the talent and perseverance to rebuild a compromised network as urgently as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decrypt all your files. Kaspersky determined that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The alternative is to setup from scratch the key components of your IT environment. Without the availability of complete information backups, this calls for a wide complement of IT skills, professional project management, and the capability to work continuously until the job is complete.
For decades, Progent has offered professional IT services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience affords Progent the capability to quickly determine necessary systems and re-organize the surviving parts of your Information Technology system following a ransomware event and configure them into an operational system.
Progent's recovery team uses powerful project management systems to coordinate the complex recovery process. Progent understands the importance of working quickly and together with a customer's management and Information Technology staff to prioritize tasks and to put the most important applications back on-line as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Attack Recovery
A small business sought out Progent after their network system was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored hackers, possibly using strategies leaked from America's NSA organization. Ryuk seeks specific businesses with little ability to sustain disruption and is one of the most profitable iterations of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area and has about 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the attack and were encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.
"I cannot tell you enough in regards to the help Progent gave us throughout the most stressful period of (our) company's existence. We may have had to pay the cyber criminals except for the confidence the Progent group gave us. That you were able to get our e-mail and critical applications back on-line faster than seven days was amazing. Each expert I spoke to or communicated with at Progent was absolutely committed on getting our company operational and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly determine and assign priority to the mission critical services that had to be recovered to make it possible to continue business functions:
- Active Directory (AD)
- Microsoft Exchange Server
- Financials/MRP
To begin, Progent followed Anti-virus event response industry best practices by halting the spread and removing active viruses. Progent then began the steps of restoring Microsoft AD, the core of enterprise systems built on Microsoft technology. Microsoft Exchange email will not function without AD, and the businesses' MRP software utilized Microsoft SQL Server, which depends on Active Directory services for authentication to the information.
Within 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then helped perform setup and hard drive recovery on key applications. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST files (Microsoft Outlook Offline Data Files) on team desktop computers and laptops to recover mail data. A recent offline backup of the customer's accounting/ERP systems made it possible to restore these vital applications back online. Although a large amount of work needed to be completed to recover completely from the Ryuk event, core systems were recovered quickly:
"For the most part, the production operation did not miss a beat and we delivered all customer sales."
Throughout the following few weeks important milestones in the recovery process were achieved in tight collaboration between Progent team members and the customer:
- Self-hosted web applications were restored without losing any information.
- The MailStore Exchange Server containing more than 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were completely recovered.
- A new Palo Alto 850 firewall was installed.
- 90% of the user PCs were being used by staff.
"A huge amount of what went on during the initial response is mostly a fog for me, but our team will not forget the care each and every one of you accomplished to help get our business back. I have been working together with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."
Conclusion
A probable business extinction catastrophe was averted by hard-working professionals, a broad spectrum of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here should have been identified and blocked with modern cyber security solutions and ISO/IEC 27001 best practices, user training, and properly executed security procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we got through the most critical parts. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Bellevue a variety of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize modern AI technology to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to automate the complete threat progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with advanced backup software providers to produce ProSight Data Protection Services, a selection of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and enable transparent backup and fast recovery of vital files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to provide web-based control and comprehensive protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of analysis for incoming email. For outbound email, the local gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, enhance and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your network operating efficiently by checking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT staff and your assigned Progent consultant so that all potential issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based machine learning technology to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to address the entire threat progression including protection, detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Help Desk: Call Center Managed Services
Progent's Support Center services permit your IT team to outsource Help Desk services to Progent or split activity for Help Desk services transparently between your internal network support resources and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Service Desk offers a seamless extension of your in-house network support organization. User access to the Service Desk, provision of support, problem escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the service database are cohesive whether incidents are resolved by your core IT support organization, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides optimizing the security and functionality of your IT environment, Progent's patch management services permit your IT staff to focus on more strategic projects and activities that derive maximum business value from your network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and enter your password you are asked to confirm who you are via a device that only you have and that is accessed using a separate network channel. A wide selection of devices can be utilized for this second means of authentication including a smartphone or wearable, a hardware token, a landline telephone, etc. You may register several validation devices. For details about ProSight Duo two-factor identity authentication services, see Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of in-depth reporting tools designed to integrate with the industry's leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Bellevue Crypto Remediation Consultants, call Progent at 800-462-8800 or go to Contact Progent.