Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for organizations unprepared for an assault. Versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and continue to cause damage. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as daily unnamed viruses, not only encrypt online critical data but also infiltrate all accessible system restores and backups. Files synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, it can render automatic restore operations impossible and effectively sets the network back to zero.
Restoring programs and data following a ransomware attack becomes a race against time as the targeted business fights to contain the damage, remove the virus, and resume business-critical operations. Because crypto-ransomware requires time to move laterally, penetrations are usually sprung at night, when attacks typically take more time to discover. This compounds the difficulty of promptly marshalling and organizing a capable mitigation team.
Progent makes available an assortment of help services for securing enterprises from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning technology from SentinelOne to identify and quarantine new threats intelligently. Progent in addition offers the services of experienced ransomware recovery professionals with the track record and perseverance to restore a compromised network as urgently as possible.
Progent's Ransomware Recovery Services
Following a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the codes to decipher any of your files. Kaspersky determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The other path is to re-install the vital components of your Information Technology environment. Without the availability of full data backups, this calls for a wide range of IT skills, well-coordinated team management, and the willingness to work non-stop until the job is completed.
For decades, Progent has provided certified expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the capability to rapidly ascertain critical systems and re-organize the remaining pieces of your Information Technology environment following a ransomware event and assemble them into an operational network.
Progent's ransomware group utilizes state-of-the-art project management applications to orchestrate the complex recovery process. Progent knows the importance of working quickly and in concert with a customer's management and IT team members to assign priority to tasks and to get the most important systems back on line as fast as humanly possible.
Case Study: A Successful Ransomware Virus Response
A customer escalated to Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state hackers, suspected of adopting algorithms exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little or no tolerance for disruption and is one of the most profitable versions of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with about 500 employees. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (more than $200,000) and hoping for good luck, but in the end engaged Progent.
"I can't tell you enough about the help Progent gave us during the most critical period of (our) company's survival. We may have had to pay the hackers behind this attack except for the confidence the Progent team afforded us. The fact that you could get our e-mail and production applications back into operation quicker than one week was beyond my wildest dreams. Each person I spoke to or communicated with at Progent was hell bent on getting our system up and was working 24 by 7 on our behalf."
Progent worked with the client to quickly determine and assign priority to the critical services that had to be addressed to make it possible to resume business functions:
- Microsoft Active Directory
- Electronic Messaging
- MRP System
To start, Progent adhered to ransomware penetration response best practices by halting the spread and cleaning up infected systems. Progent then initiated the work of restoring Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the businesses' accounting and MRP software leveraged Microsoft SQL, which requires Active Directory services for security authorization to the information.
Within 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then performed setup and storage recovery on the most important applications. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Offline Data Files) on user desktop computers to recover email information. A not too old offline backup of the businesses manufacturing systems made them able to recover these vital services back servicing users. Although significant work remained to recover completely from the Ryuk attack, essential systems were returned to operations rapidly:
"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer deliverables."
Throughout the next month important milestones in the restoration process were accomplished in tight cooperation between Progent engineers and the customer:
- Self-hosted web applications were brought back up without losing any information.
- The MailStore Server containing more than four million historical emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were 100% restored.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Nearly all of the user desktops were being used by staff.
"Much of what went on those first few days is mostly a blur for me, but we will not forget the care all of your team accomplished to help get our business back. I have entrusted Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
Conclusion
A potential business extinction catastrophe was evaded due to results-oriented professionals, a broad range of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here could have been identified and stopped with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, staff training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get rested after we made it through the initial push. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Bellevue a variety of remote monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services incorporate modern machine learning technology to detect zero-day strains of ransomware that can evade traditional signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent consultant so any potential problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-based solution for managing your client-server infrastructure by offering tools for streamlining common time-consuming tasks. These can include health checking, patch management, automated repairs, endpoint configuration, backup and restore, anti-virus response, secure remote access, built-in and custom scripts, asset inventory, endpoint profile reports, and troubleshooting support. When ProSight LAN Watch with NinjaOne RMM uncovers a serious incident, it transmits an alert to your designated IT management staff and your Progent technical consultant so emerging problems can be taken care of before they impact your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, optimize and debug their connectivity appliances such as switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating complex management processes, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of in-depth management reporting plug-ins designed to work with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and allow transparent backup and rapid restoration of vital files, applications, images, and VMs. ProSight DPS helps you avoid data loss resulting from hardware failures, natural disasters, fire, malware like ransomware, human mistakes, malicious insiders, or software bugs. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide centralized control and world-class protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Android, and other personal devices. With Duo 2FA, when you sign into a protected application and enter your password you are asked to verify who you are on a device that only you possess and that uses a different ("out-of-band") network channel. A wide range of devices can be used as this second means of authentication such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For details about ProSight Duo identity authentication services, see Duo MFA two-factor authentication services for access security.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Help Center managed services allow your information technology staff to outsource Support Desk services to Progent or split activity for Help Desk services seamlessly between your internal network support staff and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent extension of your corporate support staff. End user interaction with the Help Desk, provision of support services, problem escalation, trouble ticket creation and updates, performance metrics, and management of the service database are consistent whether incidents are resolved by your in-house network support staff, by Progent, or both. Learn more about Progent's outsourced/shared Help Center services.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior machine learning tools to defend endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to automate the complete threat lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management provide organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. Besides optimizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT staff to focus on more strategic projects and tasks that derive maximum business value from your information network. Learn more about Progent's patch management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight ASM protects local and cloud resources and offers a single platform to manage the entire threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via cutting-edge tools incorporated within one agent managed from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also help you to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
For Bellevue 24x7x365 Crypto-Ransomware Repair Consulting, contact Progent at 800-462-8800 or go to Contact Progent.