Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for businesses unprepared for an attack. Multiple generations of ransomware like the Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus frequent as yet unnamed malware, not only encrypt online information but also infiltrate many configured system backup. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, this can make automated restore operations hopeless and basically sets the datacenter back to square one.
Recovering services and information following a ransomware intrusion becomes a sprint against time as the targeted business fights to stop lateral movement, cleanup the virus, and resume business-critical activity. Because crypto-ransomware takes time to move laterally, attacks are often launched on weekends and holidays, when penetrations typically take longer to recognize. This multiplies the difficulty of rapidly assembling and organizing a capable response team.
Progent provides a variety of services for securing organizations from crypto-ransomware penetrations. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and quarantine day-zero cyber threats quickly. Progent also can provide the assistance of expert ransomware recovery engineers with the skills and perseverance to reconstruct a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the needed keys to decipher any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The fallback is to re-install the mission-critical elements of your IT environment. Absent the availability of full data backups, this requires a broad range of IT skills, well-coordinated team management, and the capability to work non-stop until the job is complete.
For two decades, Progent has offered expert IT services for companies throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise gives Progent the capability to knowledgably understand important systems and re-organize the remaining components of your Information Technology system following a crypto-ransomware penetration and configure them into an operational network.
Progent's recovery team of experts deploys top notch project management systems to orchestrate the complicated recovery process. Progent appreciates the urgency of working rapidly and together with a customer's management and Information Technology staff to assign priority to tasks and to get key systems back on-line as soon as humanly possible.
Business Case Study: A Successful Ransomware Penetration Restoration
A small business escalated to Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean government sponsored cybercriminals, suspected of adopting technology leaked from America's NSA organization. Ryuk goes after specific businesses with little ability to sustain operational disruption and is among the most profitable incarnations of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the attack and were encrypted. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot tell you enough about the help Progent gave us throughout the most fearful time of (our) businesses life. We may have had to pay the cybercriminals if not for the confidence the Progent team gave us. The fact that you could get our messaging and key applications back on-line faster than a week was incredible. Each expert I worked with or texted at Progent was urgently focused on getting us operational and was working non-stop to bail us out."
Progent worked with the customer to rapidly get our arms around and assign priority to the key applications that had to be restored in order to resume departmental functions:
- Active Directory
- Microsoft Exchange
- MRP System
To begin, Progent adhered to Anti-virus event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the steps of recovering Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange email will not operate without Active Directory, and the client's accounting and MRP system utilized SQL Server, which requires Windows AD for security authorization to the databases.
Within two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery on needed applications. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Data Files) on various PCs to recover email messages. A not too old off-line backup of the client's accounting/ERP software made them able to return these essential services back online for users. Although a large amount of work remained to recover completely from the Ryuk damage, core systems were recovered quickly:
"For the most part, the production line operation showed little impact and we delivered all customer shipments."
Throughout the next month critical milestones in the recovery process were completed through tight collaboration between Progent team members and the customer:
- In-house web applications were brought back up with no loss of data.
- The MailStore Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were 100% operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Nearly all of the user workstations were operational.
"Much of what went on during the initial response is mostly a haze for me, but I will not forget the dedication each of your team put in to help get our business back. I've been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
Conclusion
A likely business catastrophe was averted with dedicated experts, a wide spectrum of technical expertise, and tight teamwork. Although in post mortem the ransomware virus incident described here should have been identified and stopped with advanced security technology solutions and security best practices, team education, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I'm grateful for making it so I could get rested after we made it over the initial push. All of you did an fabulous effort, and if anyone is in the Chicago area, dinner is on me!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Boise a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services utilize next-generation AI technology to uncover zero-day variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your Progent engineering consultant so any potential problems can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-driven solution for monitoring and managing your client-server infrastructure by providing an environment for streamlining common time-consuming tasks. These include health monitoring, update management, automated repairs, endpoint deployment, backup and restore, anti-virus response, remote access, standard and custom scripts, resource inventory, endpoint status reports, and troubleshooting support. When ProSight LAN Watch with NinjaOne RMM spots a serious incident, it transmits an alarm to your specified IT staff and your assigned Progent consultant so emerging problems can be fixed before they interfere with productivity. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are discovered. By automating tedious management processes, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding appliances that need critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of real-time management reporting tools designed to work with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup software providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup operations and allow transparent backup and rapid restoration of critical files/folders, apps, images, plus virtual machines. ProSight DPS lets you protect against data loss caused by equipment failures, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or software bugs. Managed services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to provide web-based management and comprehensive protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the local gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected application and give your password you are requested to verify your identity on a unit that only you possess and that uses a different network channel. A broad selection of out-of-band devices can be used for this second form of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You can designate multiple validation devices. To learn more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.
- Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
Progent's Support Desk managed services enable your IT team to offload Help Desk services to Progent or split activity for Service Desk support transparently between your internal network support staff and Progent's nationwide pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your in-house network support team. User access to the Help Desk, provision of support, problem escalation, ticket creation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether issues are resolved by your internal network support staff, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Help Desk services.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-based anti-virus tools. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to address the complete malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Find out more about ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's support services for patch management provide organizations of any size a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT network. In addition to maximizing the protection and functionality of your IT environment, Progent's patch management services allow your in-house IT team to concentrate on more strategic initiatives and tasks that deliver maximum business value from your network. Find out more about Progent's patch management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the complete malware attack progression including filtering, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified control. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent's consultants can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.
For 24/7 Boise Ransomware Repair Consultants, call Progent at 800-462-8800 or go to Contact Progent.