Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that presents an existential threat for businesses of all sizes poorly prepared for an attack. Different iterations of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause damage. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as more unnamed viruses, not only encrypt on-line data files but also infiltrate all accessible system protection mechanisms. Files synchronized to the cloud can also be corrupted. In a poorly designed system, it can render automated restoration useless and basically sets the datacenter back to square one.
Recovering services and data after a ransomware attack becomes a race against time as the victim fights to contain the damage and eradicate the ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware takes time to replicate, assaults are frequently sprung on weekends, when attacks tend to take longer to identify. This compounds the difficulty of rapidly mobilizing and orchestrating a knowledgeable mitigation team.
Progent makes available a variety of solutions for protecting organizations from ransomware attacks. These include team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security appliances with AI capabilities from SentinelOne to detect and quarantine new cyber threats intelligently. Progent also can provide the services of experienced ransomware recovery consultants with the talent and perseverance to re-deploy a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the needed keys to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be around $13,000. The alternative is to re-install the essential components of your IT environment. Without the availability of complete data backups, this requires a wide complement of skills, well-coordinated project management, and the capability to work non-stop until the job is completed.
For twenty years, Progent has made available expert Information Technology services for businesses in Boise and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of expertise affords Progent the ability to quickly determine critical systems and organize the surviving pieces of your computer network environment following a ransomware attack and configure them into a functioning network.
Progent's security team uses state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to get essential services back on-line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A client hired Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, possibly using strategies leaked from the United States NSA organization. Ryuk seeks specific organizations with little or no ability to sustain disruption and is among the most lucrative examples of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200K) and hoping for good luck, but in the end made the decision to use Progent.
"I cannot speak enough in regards to the expertise Progent gave us throughout the most fearful period of (our) businesses life. We would have paid the Hackers except for the confidence the Progent team provided us. The fact that you could get our e-mail and essential applications back in less than seven days was earth shattering. Each expert I worked with or messaged at Progent was absolutely committed on getting us working again and was working 24 by 7 to bail us out."
Progent worked together with the client to quickly determine and assign priority to the most important elements that needed to be restored to make it possible to continue business functions:
- Active Directory (AD)
- E-Mail
- Financials/MRP
To start, Progent followed ransomware event response best practices by stopping the spread and cleaning systems of viruses. Progent then started the task of bringing back online Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the businesses' MRP software utilized Microsoft SQL Server, which needs Windows AD for access to the information.
In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then assisted with reinstallations and storage recovery on the most important applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Offline Folder Files) on user PCs and laptops in order to recover mail messages. A not too old offline backup of the businesses accounting systems made it possible to restore these vital applications back online. Although major work needed to be completed to recover completely from the Ryuk attack, core systems were recovered rapidly:
"For the most part, the production operation survived unscathed and we made all customer orders."
Throughout the following couple of weeks key milestones in the restoration project were completed in close cooperation between Progent engineers and the client:
- In-house web sites were restored without losing any information.
- The MailStore Server containing more than 4 million historical messages was brought online and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely operational.
- A new Palo Alto 850 firewall was set up.
- 90% of the user desktops and notebooks were operational.
"So much of what transpired during the initial response is mostly a haze for me, but our team will not forget the dedication each of you accomplished to give us our business back. I have been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered. This situation was the most impressive ever."
Conclusion
A potential business-ending catastrophe was dodged due to results-oriented experts, a wide range of knowledge, and close teamwork. Although upon completion of forensics the ransomware attack detailed here could have been identified and blocked with up-to-date security solutions and recognized best practices, user and IT administrator education, and appropriate incident response procedures for backup and applying software patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), I'm grateful for making it so I could get some sleep after we got past the most critical parts. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Boise a variety of remote monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to detect zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a unified platform to address the entire malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry information security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services, a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and allow non-disruptive backup and rapid recovery of important files, applications, system images, and virtual machines. ProSight DPS lets your business recover from data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to provide web-based management and world-class security for your inbound and outbound email. The powerful structure of Email Guard managed service combines cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, optimize and debug their networking hardware like routers, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding appliances that need critical updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your network operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management personnel and your Progent consultant so that all potential issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as half of time spent searching for critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning technology to guard endpoints as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-matching AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to manage the entire threat progression including filtering, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Help Center: Help Desk Managed Services
Progent's Call Desk managed services enable your IT team to offload Call Center services to Progent or split responsibilities for Service Desk support transparently between your internal support resources and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your core IT support organization. End user interaction with the Service Desk, provision of technical assistance, issue escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your internal network support organization, by Progent, or both. Find out more about Progent's outsourced/co-managed Call Center services.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide businesses of any size a flexible and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your IT environment, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected application and enter your password you are asked to verify your identity on a device that only you have and that uses a different network channel. A wide range of devices can be utilized for this second means of authentication such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. For more information about Duo identity validation services, visit Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time and in-depth reporting tools designed to work with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Boise CryptoLocker Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.