Ransomware : Your Feared Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses poorly prepared for an assault. Versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause havoc. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as more as yet unnamed malware, not only do encryption of online files but also infect any accessible system restores and backups. Information synched to the cloud can also be encrypted. In a poorly designed environment, this can render any restoration hopeless and effectively sets the datacenter back to zero.
Retrieving programs and information following a ransomware event becomes a race against the clock as the victim tries its best to stop lateral movement and cleanup the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to move laterally, attacks are usually sprung during weekends and nights, when penetrations may take longer to detect. This multiplies the difficulty of promptly assembling and organizing a capable response team.
Progent makes available a variety of solutions for securing enterprises from ransomware penetrations. These include user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with machine learning capabilities from SentinelOne to detect and suppress day-zero cyber attacks intelligently. Progent also offers the assistance of experienced ransomware recovery consultants with the track record and perseverance to re-deploy a compromised system as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the keys to unencrypt any or all of your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Absent the availability of full data backups, this calls for a broad complement of skill sets, professional team management, and the capability to work continuously until the recovery project is complete.
For decades, Progent has made available certified expert IT services for companies in Birmingham and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly ascertain necessary systems and consolidate the remaining pieces of your network system after a ransomware penetration and configure them into an operational system.
Progent's recovery team of experts uses best of breed project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and in concert with a customer's management and IT team members to assign priority to tasks and to get the most important services back online as soon as possible.
Client Story: A Successful Crypto-Ransomware Attack Restoration
A business escalated to Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, suspected of adopting strategies exposed from the U.S. NSA organization. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has about 500 staff members. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end reached out to Progent.
"I cannot thank you enough about the help Progent gave us throughout the most stressful period of (our) company's existence. We had little choice but to pay the cybercriminals if not for the confidence the Progent group afforded us. The fact that you were able to get our messaging and production servers back online in less than a week was incredible. Each person I worked with or texted at Progent was totally committed on getting us restored and was working all day and night to bail us out."
Progent worked hand in hand the client to quickly identify and assign priority to the most important areas that had to be restored in order to continue departmental functions:
To begin, Progent followed AV/Malware Processes penetration response industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the work of recovering Microsoft AD, the core of enterprise environments built upon Microsoft technology. Exchange email will not operate without Active Directory, and the client's accounting and MRP system leveraged Microsoft SQL Server, which needs Windows AD for access to the database.
- Windows Active Directory
- Microsoft Exchange Email
- MRP System
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then charged ahead with reinstallations and storage recovery of needed systems. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on user workstations to recover email messages. A not too old offline backup of the client's financials/ERP systems made them able to recover these vital applications back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, essential systems were recovered quickly:
"For the most part, the manufacturing operation survived unscathed and we made all customer shipments."
During the following few weeks critical milestones in the recovery process were completed through tight cooperation between Progent engineers and the customer:
- Internal web sites were returned to operation with no loss of information.
- The MailStore Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory capabilities were completely functional.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the desktops and laptops were fully operational.
"So much of what occurred during the initial response is mostly a haze for me, but I will not forget the countless hours all of the team put in to help get our company back. I have been working with Progent for at least 10 years, possibly more, and each time Progent has come through and delivered. This event was a testament to your capabilities."
A possible business-ending disaster was averted through the efforts of results-oriented professionals, a broad spectrum of IT skills, and tight teamwork. Although in hindsight the ransomware incident described here should have been blocked with up-to-date security systems and best practices, team education, and properly executed security procedures for information protection and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has proven experience in ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), I'm grateful for allowing me to get some sleep after we made it through the most critical parts. All of you did an incredible job, and if any of your team is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Birmingham a range of remote monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services include modern machine learning technology to uncover zero-day variants of crypto-ransomware that can evade legacy signature-based security products.
For 24/7 Birmingham Ransomware Remediation Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the entire malware attack progression including blocking, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer economical in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you prove compliance with legal and industry information protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup processes and enable transparent backup and rapid recovery of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or software bugs. Managed backup services in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to deliver web-based management and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their connectivity hardware like routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating complex network management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding appliances that need critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your IT system operating at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT staff and your assigned Progent consultant so that any potential problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Read more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching AV products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to manage the complete threat progression including filtering, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Call Center managed services enable your information technology group to offload Support Desk services to Progent or split responsibilities for Help Desk services transparently between your internal support team and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless extension of your core support group. Client interaction with the Help Desk, provision of support services, issue escalation, ticket generation and updates, performance measurement, and maintenance of the service database are cohesive regardless of whether incidents are taken care of by your corporate support group, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer businesses of any size a flexible and cost-effective solution for assessing, testing, scheduling, applying, and tracking updates to your dynamic IT system. Besides optimizing the security and reliability of your computer network, Progent's patch management services allow your in-house IT team to concentrate on more strategic initiatives and activities that deliver the highest business value from your information network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against password theft by using two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a protected application and enter your password you are asked to verify your identity on a device that only you have and that is accessed using a different network channel. A broad range of devices can be utilized for this added means of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate several verification devices. To find out more about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.