Ransomware : Your Crippling Information Technology Disaster
Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses of all sizes poorly prepared for an attack. Different versions of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict harm. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with additional unnamed viruses, not only do encryption of on-line files but also infect any configured system protection. Data synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, this can render automatic restore operations useless and effectively sets the entire system back to square one.
Retrieving services and information after a ransomware outage becomes a race against time as the targeted business tries its best to stop lateral movement and eradicate the ransomware and to restore enterprise-critical operations. Because ransomware needs time to move laterally, penetrations are often launched during nights and weekends, when successful attacks typically take longer to recognize. This compounds the difficulty of promptly mobilizing and coordinating a qualified mitigation team.
Progent offers a variety of solutions for protecting businesses from crypto-ransomware attacks. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security appliances with artificial intelligence capabilities from SentinelOne to detect and extinguish day-zero threats quickly. Progent in addition can provide the services of seasoned ransomware recovery professionals with the track record and commitment to rebuild a compromised network as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware event, sending the ransom in cryptocurrency does not guarantee that distant criminals will provide the keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the vital parts of your Information Technology environment. Without access to essential information backups, this requires a wide range of IT skills, professional team management, and the willingness to work 24x7 until the task is over.
For decades, Progent has offered professional IT services for businesses in Boise and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of experience gives Progent the capability to efficiently identify critical systems and re-organize the remaining components of your network environment after a ransomware attack and assemble them into an operational network.
Progent's security team of experts uses top notch project management systems to coordinate the complicated restoration process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT staff to assign priority to tasks and to get critical applications back on line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Attack Response
A small business escalated to Progent after their company was crashed by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state hackers, possibly using algorithms leaked from the U.S. NSA organization. Ryuk targets specific organizations with little or no ability to sustain disruption and is among the most lucrative iterations of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk event had disabled all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately engaged Progent.
"I cannot speak enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses survival. We may have had to pay the Hackers if not for the confidence the Progent team provided us. That you were able to get our e-mail system and critical servers back in less than five days was something I thought impossible. Each person I talked with or communicated with at Progent was amazingly focused on getting us restored and was working non-stop to bail us out."
Progent worked hand in hand the client to quickly determine and assign priority to the key systems that had to be addressed in order to continue departmental functions:
To start, Progent followed ransomware penetration mitigation best practices by halting the spread and disinfecting systems. Progent then initiated the task of restoring Windows Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange email will not function without AD, and the customer's accounting and MRP applications used SQL Server, which requires Active Directory services for security authorization to the information.
- Windows Active Directory
- Microsoft Exchange Server
Within 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery of needed servers. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on user desktop computers to recover email data. A recent off-line backup of the client's financials/ERP software made them able to recover these vital services back online. Although major work remained to recover totally from the Ryuk virus, core systems were recovered rapidly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer shipments."
Throughout the following month important milestones in the restoration project were completed in tight collaboration between Progent engineers and the client:
- In-house web applications were brought back up with no loss of information.
- The MailStore Exchange Server with over 4 million historical emails was spun up and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory capabilities were 100% functional.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the desktops and laptops were fully operational.
"A lot of what occurred that first week is mostly a haze for me, but my team will not forget the commitment each of your team put in to help get our company back. I have utilized Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a life saver."
A probable business catastrophe was avoided with hard-working professionals, a broad spectrum of technical expertise, and tight collaboration. Although in post mortem the ransomware virus attack described here should have been disabled with modern security technology solutions and security best practices, team training, and well thought out incident response procedures for data backup and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thank you for allowing me to get rested after we made it over the most critical parts. Everyone did an fabulous job, and if anyone is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Boise a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services incorporate modern artificial intelligence technology to detect zero-day strains of crypto-ransomware that can evade legacy signature-based anti-virus products.
For Boise 24-Hour CryptoLocker Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also help you to set up and test a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and enable non-disruptive backup and fast restoration of critical files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user error, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security companies to provide web-based management and comprehensive protection for your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of analysis for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, enhance and debug their connectivity appliances like routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating tedious management processes, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that need critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system running efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management personnel and your Progent consultant so that any potential problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis technology to guard endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to automate the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Call Center managed services allow your information technology group to outsource Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support staff and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Shared Service Desk offers a transparent extension of your in-house network support organization. User access to the Help Desk, delivery of technical assistance, issue escalation, trouble ticket generation and updates, performance measurement, and management of the support database are consistent whether incidents are taken care of by your in-house network support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide businesses of all sizes a flexible and affordable solution for evaluating, validating, scheduling, applying, and tracking updates to your ever-evolving information system. In addition to optimizing the security and functionality of your computer network, Progent's software/firmware update management services free up time for your IT staff to focus on more strategic projects and tasks that derive maximum business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you sign into a secured application and give your password you are asked to verify who you are via a unit that only you possess and that is accessed using a different network channel. A wide range of out-of-band devices can be utilized for this added means of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can designate several verification devices. For more information about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth management reporting plug-ins created to work with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.