Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses vulnerable to an assault. Versions of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus daily unnamed viruses, not only do encryption of online information but also infect any accessible system backup. Files replicated to cloud environments can also be ransomed. In a poorly designed environment, it can render automatic recovery impossible and basically sets the entire system back to square one.
Getting back online services and information after a ransomware intrusion becomes a sprint against the clock as the targeted business fights to contain and clear the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware takes time to replicate, assaults are usually sprung during nights and weekends, when attacks tend to take longer to discover. This compounds the difficulty of promptly mobilizing and organizing a knowledgeable response team.
Progent makes available a variety of help services for protecting businesses from crypto-ransomware penetrations. These include team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security appliances with artificial intelligence capabilities from SentinelOne to identify and suppress new cyber attacks intelligently. Progent in addition provides the services of experienced ransomware recovery professionals with the talent and commitment to restore a breached environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed codes to decrypt all your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the key elements of your Information Technology environment. Absent access to essential information backups, this calls for a wide complement of skill sets, top notch project management, and the willingness to work non-stop until the job is completed.
For two decades, Progent has made available professional IT services for businesses in Brighton and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly determine necessary systems and re-organize the remaining pieces of your IT system following a ransomware event and assemble them into an operational system.
Progent's recovery team of experts uses top notch project management applications to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and in concert with a customer's management and IT resources to prioritize tasks and to put key systems back online as fast as possible.
Customer Story: A Successful Crypto-Ransomware Incident Recovery
A small business engaged Progent after their network was taken over by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored hackers, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk targets specific companies with little room for operational disruption and is one of the most profitable incarnations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has around 500 employees. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but ultimately brought in Progent.
"I can't say enough about the support Progent provided us throughout the most fearful period of (our) company's life. We most likely would have paid the cybercriminals if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and essential servers back in less than five days was beyond my wildest dreams. Each expert I got help from or e-mailed at Progent was amazingly focused on getting us back online and was working non-stop on our behalf."
Progent worked hand in hand the customer to rapidly identify and assign priority to the essential services that needed to be recovered to make it possible to continue company functions:
To start, Progent followed ransomware incident mitigation best practices by stopping the spread and clearing infected systems. Progent then began the task of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the businesses' financials and MRP system leveraged SQL Server, which depends on Active Directory for access to the information.
- Active Directory
- MRP System
In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then completed setup and storage recovery on mission critical applications. All Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Folder Files) on user desktop computers in order to recover mail messages. A not too old off-line backup of the client's financials/ERP software made it possible to recover these essential applications back available to users. Although significant work still had to be done to recover fully from the Ryuk attack, the most important systems were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we produced all customer orders."
During the next month critical milestones in the restoration project were made in close collaboration between Progent consultants and the client:
- In-house web sites were brought back up without losing any data.
- The MailStore Server containing more than 4 million archived messages was brought online and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were completely restored.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- 90% of the desktop computers were back into operation.
"A lot of what went on in the initial days is nearly entirely a blur for me, but we will not forget the urgency all of your team put in to give us our company back. I have entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered as promised. This time was a stunning achievement."
A potential business disaster was averted by dedicated professionals, a broad array of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus incident detailed here could have been blocked with up-to-date cyber security technology solutions and best practices, user and IT administrator education, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thanks very much for making it so I could get rested after we made it past the initial fire. All of you did an incredible effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Brighton a portfolio of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services utilize next-generation AI capability to detect new strains of crypto-ransomware that are able to get past legacy signature-based security products.
For 24-Hour Brighton Ransomware Repair Consulting, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the entire threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you prove compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate action. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore technology providers to create ProSight Data Protection Services, a family of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and monitor your backup processes and enable non-disruptive backup and rapid recovery of vital files, applications, images, and virtual machines. ProSight DPS lets you avoid data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, human error, ill-intentioned employees, or software bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security vendors to deliver web-based management and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of analysis for inbound email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, enhance and troubleshoot their connectivity hardware like switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and displays the configuration of almost all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating complex management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that require important software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management technology to keep your network running efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT personnel and your Progent consultant so that any looming issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to defend endpoint devices and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud resources and provides a single platform to automate the complete threat progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Help Center: Help Desk Managed Services
Progent's Help Center services allow your information technology group to offload Call Center services to Progent or split activity for Help Desk services transparently between your internal network support group and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your core IT support group. User interaction with the Service Desk, provision of support, problem escalation, trouble ticket creation and updates, performance measurement, and management of the support database are consistent regardless of whether incidents are resolved by your in-house IT support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Service Center services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information system. Besides optimizing the security and reliability of your computer environment, Progent's patch management services free up time for your in-house IT staff to concentrate on line-of-business initiatives and tasks that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a secured online account and enter your password you are requested to verify who you are on a unit that only you possess and that uses a separate network channel. A wide range of out-of-band devices can be utilized as this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple validation devices. To find out more about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time reporting plug-ins designed to integrate with the industry's top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.