Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for organizations unprepared for an attack. Multiple generations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause damage. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with additional as yet unnamed malware, not only do encryption of on-line critical data but also infect most available system backup. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, it can render any restoration impossible and basically knocks the network back to zero.
Getting back online applications and information following a crypto-ransomware event becomes a race against time as the targeted business tries its best to stop the spread, cleanup the ransomware, and resume business-critical activity. Since crypto-ransomware requires time to move laterally, assaults are often launched on weekends, when attacks are likely to take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing a capable mitigation team.
Progent makes available an assortment of support services for protecting organizations from crypto-ransomware events. Among these are team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with machine learning capabilities from SentinelOne to detect and quarantine new threats intelligently. Progent also provides the services of veteran ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will return the needed codes to decrypt any of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The fallback is to setup from scratch the essential elements of your IT environment. Absent access to essential information backups, this calls for a broad range of skills, well-coordinated team management, and the capability to work continuously until the recovery project is finished.
For twenty years, Progent has offered professional IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience affords Progent the ability to efficiently ascertain necessary systems and consolidate the surviving parts of your Information Technology environment following a ransomware penetration and rebuild them into an operational network.
Progent's ransomware team utilizes state-of-the-art project management applications to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to put essential services back online as fast as humanly possible.
Client Story: A Successful Ransomware Intrusion Restoration
A business contacted Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored criminal gangs, possibly using strategies leaked from the United States National Security Agency. Ryuk seeks specific organizations with limited ability to sustain disruption and is among the most profitable versions of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the time of the intrusion and were destroyed. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but ultimately engaged Progent.
"I cannot speak enough about the help Progent gave us throughout the most fearful period of (our) businesses life. We may have had to pay the criminal gangs if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and critical applications back into operation quicker than one week was earth shattering. Every single expert I interacted with or communicated with at Progent was absolutely committed on getting us operational and was working 24 by 7 on our behalf."
Progent worked with the client to quickly understand and assign priority to the essential systems that had to be restored in order to continue departmental functions:
- Active Directory
- Exchange Server
- Accounting/MRP
To start, Progent followed AV/Malware Processes event response best practices by halting the spread and removing active viruses. Progent then began the task of bringing back online Microsoft AD, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the customer's MRP system used SQL Server, which depends on Windows AD for access to the information.
Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then performed setup and hard drive recovery of needed systems. All Microsoft Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Data Files) on staff PCs to recover mail data. A recent offline backup of the customer's accounting/MRP software made them able to return these essential programs back available to users. Although major work remained to recover totally from the Ryuk damage, core systems were returned to operations quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer shipments."
Throughout the following couple of weeks key milestones in the restoration process were completed through close cooperation between Progent engineers and the customer:
- Internal web sites were restored with no loss of information.
- The MailStore Exchange Server exceeding four million archived emails was restored to operations and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control capabilities were 100% recovered.
- A new Palo Alto 850 security appliance was installed and configured.
- Ninety percent of the desktop computers were being used by staff.
"Much of what was accomplished those first few days is nearly entirely a fog for me, but my management will not forget the care all of your team accomplished to give us our company back. I've been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This situation was the most impressive ever."
Conclusion
A likely enterprise-killing disaster was dodged through the efforts of results-oriented professionals, a wide spectrum of knowledge, and tight collaboration. Although in retrospect the ransomware virus attack described here should have been prevented with modern cyber security solutions and NIST Cybersecurity Framework best practices, user training, and properly executed security procedures for data protection and applying software patches, the fact is that state-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for letting me get some sleep after we made it through the most critical parts. Everyone did an amazing job, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Bellevue a range of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover new strains of crypto-ransomware that are able to get past traditional signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the complete malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services offer affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools packaged within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that helps you prove compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and enable non-disruptive backup and fast recovery of important files, applications, images, plus VMs. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or software bugs. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these fully managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to provide web-based management and comprehensive security for all your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, enhance and debug their networking hardware such as routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating devices that require important software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your network running at peak levels by tracking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management staff and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning technology to guard endpoint devices and servers and VMs against new malware attacks like ransomware and email phishing, which easily evade legacy signature-based AV products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to address the entire threat lifecycle including filtering, detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Help Center: Support Desk Managed Services
Progent's Help Desk services allow your IT group to outsource Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your internal network support group and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless extension of your corporate network support team. Client interaction with the Help Desk, provision of technical assistance, problem escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent whether issues are taken care of by your in-house network support resources, by Progent, or both. Read more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and tracking updates to your dynamic information network. In addition to optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services allow your IT staff to focus on line-of-business initiatives and activities that deliver maximum business value from your network. Find out more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a protected application and give your password you are asked to confirm who you are via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used as this second form of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. For more information about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth reporting utilities created to work with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or machines with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Bellevue 24-7 Ransomware Recovery Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.