Ransomware : Your Worst IT Disaster
Ransomware has become a modern cyber pandemic that represents an existential danger for businesses poorly prepared for an assault. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still inflict havoc. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus frequent as yet unnamed newcomers, not only do encryption of online data but also infiltrate all configured system restores and backups. Files synchronized to cloud environments can also be corrupted. In a vulnerable environment, this can render any restore operations impossible and basically sets the datacenter back to square one.
Getting back online programs and data following a crypto-ransomware intrusion becomes a race against time as the victim fights to contain the damage, cleanup the ransomware, and resume enterprise-critical operations. Due to the fact that ransomware requires time to spread, attacks are frequently launched during nights and weekends, when successful attacks are likely to take longer to recognize. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.
Progent offers an assortment of help services for protecting enterprises from ransomware penetrations. These include staff training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence technology from SentinelOne to discover and suppress new cyber threats intelligently. Progent also offers the services of expert ransomware recovery engineers with the track record and commitment to restore a compromised environment as quickly as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decrypt any of your information. Kaspersky estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom can be in the millions of dollars. The fallback is to setup from scratch the vital components of your IT environment. Absent access to full system backups, this requires a wide range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the job is finished.
For two decades, Progent has made available expert IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise gives Progent the ability to knowledgably determine critical systems and consolidate the surviving parts of your network environment after a ransomware event and assemble them into a functioning network.
Progent's recovery group utilizes best of breed project management systems to coordinate the complicated restoration process. Progent knows the importance of working swiftly and in concert with a client's management and IT staff to prioritize tasks and to get the most important systems back online as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A client escalated to Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state hackers, suspected of using technology leaked from the U.S. NSA organization. Ryuk attacks specific companies with little room for disruption and is among the most lucrative versions of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago and has about 500 workers. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately called Progent.
"I can't speak enough about the help Progent provided us during the most fearful period of (our) company's life. We had little choice but to pay the criminal gangs except for the confidence the Progent experts afforded us. That you were able to get our messaging and important applications back online faster than one week was beyond my wildest dreams. Every single expert I talked with or messaged at Progent was urgently focused on getting us restored and was working 24 by 7 to bail us out."
Progent worked together with the client to quickly identify and assign priority to the essential applications that needed to be addressed to make it possible to restart business functions:
- Windows Active Directory
- Microsoft Exchange
- Financials/MRP
To begin, Progent adhered to Anti-virus incident mitigation industry best practices by halting lateral movement and disinfecting systems. Progent then started the process of recovering Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not function without Windows AD, and the client's financials and MRP applications used Microsoft SQL, which requires Windows AD for access to the information.
In less than two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and storage recovery on key applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on staff workstations and laptops to recover mail information. A recent off-line backup of the customer's accounting/MRP software made them able to return these essential services back on-line. Although a large amount of work was left to recover fully from the Ryuk damage, essential systems were recovered rapidly:
"For the most part, the production operation showed little impact and we delivered all customer shipments."
During the following few weeks important milestones in the restoration process were made in tight collaboration between Progent team members and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Server with over 4 million historical messages was spun up and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were fully operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"So much of what happened in the early hours is mostly a blur for me, but our team will not soon forget the commitment each of the team accomplished to help get our company back. I've been working with Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This event was a stunning achievement."
Conclusion
A probable business-killing catastrophe was evaded through the efforts of results-oriented experts, a wide range of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here could have been disabled with current security technology and best practices, staff training, and well designed security procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we made it over the most critical parts. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is on me!"
To read or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Brighton a variety of online monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation machine learning capability to detect new variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the complete malware attack progression including protection, identification, containment, cleanup, and forensics. Top features include one-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with advanced backup software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and allow transparent backup and rapid recovery of vital files, applications, system images, and virtual machines. ProSight DPS lets your business avoid data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or application glitches. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to provide web-based management and world-class security for your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of analysis for incoming email. For outbound email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, track, reconfigure and debug their networking appliances such as routers and switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating devices that need critical updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT management staff and your Progent consultant so any looming problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based analysis tools to guard endpoint devices and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to automate the entire malware attack progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Help Center: Support Desk Managed Services
Progent's Support Desk managed services permit your information technology group to offload Call Center services to Progent or split responsibilities for Help Desk services transparently between your in-house support staff and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth supplement to your core IT support group. User interaction with the Service Desk, delivery of technical assistance, escalation, trouble ticket generation and updates, performance metrics, and management of the service database are cohesive whether incidents are resolved by your in-house support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Patch Management Services
Progent's support services for patch management provide organizations of all sizes a flexible and affordable solution for assessing, validating, scheduling, implementing, and tracking updates to your dynamic information system. In addition to maximizing the protection and functionality of your computer network, Progent's patch management services permit your IT staff to focus on more strategic projects and tasks that derive maximum business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication services utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected online account and give your password you are requested to confirm your identity on a unit that only you possess and that uses a separate network channel. A wide selection of out-of-band devices can be utilized for this added means of authentication including a smartphone or wearable, a hardware token, a landline telephone, etc. You may register several verification devices. For more information about ProSight Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth reporting utilities created to work with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Brighton 24x7x365 Crypto-Ransomware Cleanup Help, call Progent at 800-462-8800 or go to Contact Progent.