Ransomware : Your Feared Information Technology Nightmare
Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses unprepared for an assault. Different versions of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with additional as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate all available system protection. Files synched to cloud environments can also be corrupted. In a poorly architected system, it can render automatic restoration useless and effectively sets the network back to square one.
Restoring applications and data after a crypto-ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain the damage and remove the virus and to resume business-critical operations. Because crypto-ransomware needs time to move laterally, penetrations are often sprung during nights and weekends, when attacks typically take longer to uncover. This compounds the difficulty of quickly marshalling and organizing a capable mitigation team.
Progent offers a range of services for protecting organizations from ransomware penetrations. Among these are staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security gateways with machine learning capabilities from SentinelOne to identify and extinguish new cyber threats intelligently. Progent also provides the services of seasoned crypto-ransomware recovery consultants with the talent and perseverance to restore a breached system as urgently as possible.
Progent's Ransomware Restoration Services
Following a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decrypt any of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the key elements of your IT environment. Without the availability of complete information backups, this calls for a wide complement of skill sets, top notch project management, and the ability to work continuously until the task is complete.
For twenty years, Progent has provided certified expert IT services for companies in Bellevue and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the skills to knowledgably determine critical systems and integrate the surviving parts of your IT environment following a crypto-ransomware event and configure them into a functioning system.
Progent's recovery team of experts deploys top notch project management systems to orchestrate the complicated recovery process. Progent knows the importance of acting swiftly and in concert with a client's management and IT team members to assign priority to tasks and to get essential systems back online as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A business sought out Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state criminal gangs, possibly adopting approaches exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little tolerance for operational disruption and is one of the most lucrative instances of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with around 500 workers. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the attack and were encrypted. The client considered paying the ransom demand (in excess of $200K) and praying for good luck, but ultimately called Progent.
"I can't thank you enough about the expertise Progent gave us throughout the most critical period of (our) businesses life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and important servers back in less than five days was beyond my wildest dreams. Every single person I talked with or texted at Progent was hell bent on getting my company operational and was working non-stop to bail us out."
Progent worked hand in hand the client to quickly understand and prioritize the most important areas that needed to be recovered to make it possible to continue company functions:
- Microsoft Active Directory
- Microsoft Exchange Email
- Financials/MRP
To begin, Progent followed Anti-virus penetration mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then began the task of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which depends on Active Directory services for access to the databases.
Within 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery on mission critical applications. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Folder Files) on various PCs and laptops in order to recover email data. A not too old off-line backup of the client's manufacturing systems made it possible to recover these essential services back servicing users. Although a lot of work remained to recover totally from the Ryuk virus, the most important services were recovered rapidly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer deliverables."
Over the next couple of weeks important milestones in the recovery project were achieved in close cooperation between Progent consultants and the customer:
- Internal web sites were restored with no loss of data.
- The MailStore Server containing more than four million archived messages was brought online and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent restored.
- A new Palo Alto 850 firewall was installed.
- Ninety percent of the user workstations were being used by staff.
"A lot of what happened during the initial response is nearly entirely a blur for me, but my management will not soon forget the urgency all of you put in to give us our business back. I have been working with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."
Conclusion
A probable business catastrophe was dodged by top-tier experts, a broad array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware penetration described here could have been prevented with up-to-date security technology and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed security procedures for data protection and applying software patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), I'm grateful for making it so I could get some sleep after we got through the first week. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Bellevue a variety of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate modern machine learning technology to detect new strains of ransomware that can escape detection by legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to address the complete threat progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you demonstrate compliance with government and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also help you to install and verify a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has partnered with advanced backup software providers to create ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup operations and allow non-disruptive backup and rapid recovery of vital files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to deliver web-based control and comprehensive protection for your inbound and outbound email. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of analysis for incoming email. For outbound email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, enhance and troubleshoot their connectivity hardware like routers, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, locating appliances that need critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT staff and your assigned Progent consultant so any looming problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Call Center: Support Desk Managed Services
Progent's Help Center services allow your information technology group to outsource Support Desk services to Progent or divide responsibilities for support services seamlessly between your in-house network support staff and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth extension of your internal support team. Client access to the Help Desk, provision of support, problem escalation, trouble ticket generation and tracking, performance measurement, and management of the service database are cohesive regardless of whether issues are taken care of by your internal network support organization, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Desk services.
- Progent's Patch Management: Patch Management Services
Progent's support services for patch management provide businesses of any size a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT system. In addition to optimizing the security and functionality of your IT network, Progent's patch management services free up time for your in-house IT staff to focus on more strategic projects and tasks that derive maximum business value from your network. Read more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification with Apple iOS, Google Android, and other personal devices. With 2FA, whenever you log into a secured application and enter your password you are requested to confirm your identity on a unit that only you have and that is accessed using a separate network channel. A wide selection of devices can be utilized as this second form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. To learn more about Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time and in-depth reporting utilities designed to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Bellevue 24-Hour Crypto Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.