Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for organizations unprepared for an attack. Multiple generations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus daily unnamed newcomers, not only do encryption of online data but also infect all available system protection. Data synched to cloud environments can also be held hostage. In a poorly architected data protection solution, this can make automatic restoration hopeless and effectively knocks the datacenter back to square one.
Getting back online applications and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted organization fights to contain the damage, eradicate the crypto-ransomware, and restore business-critical activity. Due to the fact that crypto-ransomware takes time to spread, attacks are often launched on weekends and holidays, when attacks tend to take more time to detect. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable response team.
Progent makes available an assortment of support services for protecting businesses from crypto-ransomware attacks. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence capabilities from SentinelOne to identify and quarantine new cyber threats intelligently. Progent in addition offers the assistance of expert ransomware recovery consultants with the track record and commitment to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
Following a crypto-ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decrypt all your files. Kaspersky estimated that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The alternative is to setup from scratch the vital elements of your IT environment. Without the availability of essential system backups, this requires a wide range of skills, professional team management, and the ability to work 24x7 until the task is complete.
For decades, Progent has provided professional IT services for companies throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience provides Progent the skills to quickly ascertain important systems and organize the surviving pieces of your IT environment after a crypto-ransomware penetration and rebuild them into a functioning network.
Progent's recovery team of experts has best of breed project management applications to orchestrate the sophisticated recovery process. Progent knows the urgency of acting rapidly and in unison with a client's management and IT resources to assign priority to tasks and to put critical systems back on-line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A business hired Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored criminal gangs, possibly using techniques leaked from the United States NSA organization. Ryuk attacks specific companies with limited room for disruption and is one of the most lucrative examples of ransomware malware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has around 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing processes. The majority of the client's system backups had been online at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot tell you enough about the expertise Progent gave us during the most critical period of (our) company's life. We had little choice but to pay the cybercriminals except for the confidence the Progent experts gave us. That you were able to get our messaging and critical applications back faster than five days was something I thought impossible. Every single expert I spoke to or e-mailed at Progent was amazingly focused on getting us back online and was working 24 by 7 to bail us out."
Progent worked with the customer to rapidly get our arms around and assign priority to the key systems that had to be addressed in order to continue company operations:
- Active Directory
- Microsoft Exchange Server
- Financials/MRP
To get going, Progent followed Anti-virus penetration mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then began the steps of rebuilding Microsoft Active Directory, the heart of enterprise networks built on Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the client's MRP applications leveraged Microsoft SQL, which needs Active Directory for security authorization to the data.
Within 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery of needed servers. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Outlook Email Offline Data Files) on team PCs and laptops in order to recover mail information. A not too old off-line backup of the client's accounting/ERP systems made it possible to restore these required applications back servicing users. Although a lot of work remained to recover totally from the Ryuk damage, essential services were restored quickly:
"For the most part, the production line operation survived unscathed and we produced all customer deliverables."
During the next couple of weeks critical milestones in the recovery project were achieved through tight collaboration between Progent consultants and the customer:
- In-house web sites were brought back up without losing any data.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully functional.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"So much of what occurred those first few days is mostly a blur for me, but I will not soon forget the care all of you accomplished to help get our business back. I have trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
Conclusion
A probable business extinction disaster was averted through the efforts of top-tier experts, a wide array of IT skills, and tight teamwork. Although in post mortem the ransomware virus incident described here would have been identified and blocked with current cyber security technology and NIST Cybersecurity Framework best practices, staff training, and properly executed security procedures for information protection and proper patching controls, the reality remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thanks very much for letting me get rested after we got over the first week. All of you did an impressive job, and if any of your team is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Birmingham a portfolio of remote monitoring and security assessment services designed to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence capability to detect new strains of ransomware that can escape detection by traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service. ProSight DPS products automate and track your backup operations and allow transparent backup and fast restoration of vital files/folders, apps, system images, and virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, user error, ill-intentioned insiders, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to provide centralized control and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of analysis for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity hardware such as switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept updated, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management activities, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding devices that need critical updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your Progent consultant so that any looming issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect data about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can save up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior machine learning technology to guard endpoints as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
Progent's Call Center services enable your information technology staff to outsource Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal support resources and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth supplement to your core network support staff. User access to the Help Desk, provision of technical assistance, escalation, trouble ticket creation and tracking, efficiency measurement, and management of the support database are consistent regardless of whether issues are taken care of by your in-house network support resources, by Progent's team, or both. Learn more about Progent's outsourced/shared Call Desk services.
- Patch Management: Patch Management Services
Progent's support services for patch management provide organizations of any size a flexible and affordable alternative for assessing, testing, scheduling, implementing, and documenting updates to your dynamic information system. Besides maximizing the protection and reliability of your IT environment, Progent's patch management services permit your IT team to focus on more strategic initiatives and activities that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo supports one-tap identity verification with iOS, Google Android, and other out-of-band devices. With 2FA, when you log into a secured online account and give your password you are requested to confirm who you are via a device that only you possess and that is accessed using a different network channel. A wide selection of devices can be utilized for this added means of ID validation including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate several verification devices. To find out more about Duo identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of in-depth management reporting tools designed to work with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Birmingham Crypto Cleanup Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.