Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyberplague that presents an existential danger for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus more as yet unnamed newcomers, not only do encryption of on-line files but also infect any available system backups. Data replicated to the cloud can also be ransomed. In a vulnerable data protection solution, it can render automated restoration impossible and effectively sets the network back to zero.
Restoring programs and data following a ransomware intrusion becomes a race against the clock as the targeted organization fights to contain the damage and remove the crypto-ransomware and to resume enterprise-critical operations. Since ransomware needs time to replicate, assaults are frequently sprung at night, when successful attacks tend to take more time to notice. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.
Progent offers an assortment of help services for protecting enterprises from crypto-ransomware attacks. Among these are team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with machine learning capabilities from SentinelOne to identify and quarantine new cyber threats automatically. Progent in addition offers the services of veteran ransomware recovery professionals with the track record and commitment to rebuild a breached network as soon as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not guarantee that criminal gangs will respond with the keys to decrypt any of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the key elements of your IT environment. Without access to essential system backups, this calls for a broad range of IT skills, well-coordinated project management, and the ability to work 24x7 until the task is complete.
For twenty years, Progent has provided certified expert Information Technology services for businesses in Bellevue and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise gives Progent the capability to quickly identify necessary systems and organize the surviving components of your network system following a crypto-ransomware penetration and assemble them into an operational network.
Progent's ransomware group has powerful project management applications to coordinate the sophisticated recovery process. Progent understands the importance of acting swiftly and together with a customer's management and Information Technology team members to assign priority to tasks and to get key services back on-line as fast as humanly possible.
Business Case Study: A Successful Ransomware Incident Recovery
A small business contacted Progent after their network was penetrated by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state criminal gangs, possibly using algorithms exposed from the United States NSA organization. Ryuk targets specific businesses with little ability to sustain operational disruption and is one of the most profitable incarnations of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago with around 500 employees. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200K) and hoping for good luck, but ultimately reached out to Progent.
"I can't tell you enough about the support Progent provided us throughout the most critical period of (our) company's survival. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent experts afforded us. The fact that you could get our e-mail and production applications back into operation faster than seven days was earth shattering. Each expert I interacted with or e-mailed at Progent was amazingly focused on getting us working again and was working non-stop to bail us out."
Progent worked together with the customer to rapidly understand and prioritize the essential systems that had to be restored to make it possible to continue company operations:
To get going, Progent followed AV/Malware Processes event response best practices by stopping lateral movement and removing active viruses. Progent then started the work of rebuilding Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the businesses' financials and MRP applications utilized SQL Server, which requires Active Directory services for access to the database.
- Active Directory
- Microsoft Exchange Email
- MRP System
In less than 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then helped perform setup and storage recovery on key applications. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Offline Data Files) on various PCs and laptops in order to recover mail messages. A recent offline backup of the customer's accounting/ERP software made them able to restore these required programs back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk virus, core services were restored quickly:
"For the most part, the production line operation did not miss a beat and we produced all customer sales."
During the next month critical milestones in the restoration project were achieved through tight collaboration between Progent team members and the customer:
- Internal web applications were brought back up without losing any information.
- The MailStore Server containing more than four million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory Control modules were 100 percent recovered.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Nearly all of the desktop computers were functioning as before the incident.
"So much of what was accomplished in the early hours is nearly entirely a blur for me, but my team will not soon forget the care each and every one of your team put in to give us our business back. I have entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered. This time was a testament to your capabilities."
A potential business extinction disaster was averted due to dedicated experts, a wide spectrum of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here should have been prevented with modern cyber security technology solutions and best practices, staff training, and properly executed incident response procedures for data protection and proper patching controls, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get rested after we made it through the initial push. Everyone did an impressive job, and if anyone is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Bellevue a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services utilize modern machine learning technology to detect zero-day variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.
For Bellevue 24/7/365 Ransomware Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and offers a unified platform to manage the entire threat progression including protection, identification, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that meets your company's unique requirements and that allows you prove compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent's consultants can also assist you to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and rapid recovery of vital files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver web-based management and world-class protection for all your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to external threats and saves network bandwidth and storage. Email Guard's on-premises security gateway device provides a further layer of analysis for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, track, enhance and debug their networking appliances such as switches, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding devices that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so any potential problems can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend endpoints and physical and virtual servers against new malware assaults like ransomware and email phishing, which easily evade traditional signature-based AV products. Progent ASM services safeguard local and cloud-based resources and provides a single platform to manage the entire threat lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Help Desk: Call Center Managed Services
Progent's Call Desk services allow your information technology group to offload Call Center services to Progent or split activity for Service Desk support seamlessly between your internal network support group and Progent's nationwide roster of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth supplement to your core support team. End user access to the Help Desk, provision of technical assistance, issue escalation, trouble ticket generation and tracking, efficiency measurement, and management of the service database are consistent regardless of whether incidents are resolved by your in-house support organization, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Patch Management Services
Progent's support services for patch management provide organizations of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. In addition to maximizing the security and reliability of your IT environment, Progent's patch management services permit your IT team to concentrate on more strategic initiatives and activities that derive the highest business value from your information network. Read more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With 2FA, when you sign into a secured application and give your password you are asked to verify who you are on a device that only you possess and that uses a different ("out-of-band") network channel. A wide range of devices can be utilized as this second means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services for access security.