Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a modern cyber pandemic that poses an existential danger for businesses poorly prepared for an assault. Different versions of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as frequent unnamed malware, not only encrypt online information but also infiltrate any configured system restores and backups. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can render automatic recovery hopeless and effectively sets the network back to zero.
Getting back on-line programs and information after a ransomware attack becomes a race against time as the targeted organization fights to stop the spread, clear the ransomware, and resume business-critical activity. Due to the fact that ransomware requires time to spread, attacks are often sprung during nights and weekends, when attacks typically take more time to uncover. This multiplies the difficulty of quickly mobilizing and coordinating an experienced mitigation team.
Progent provides a range of solutions for protecting enterprises from ransomware attacks. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security appliances with artificial intelligence capabilities from SentinelOne to discover and quarantine zero-day threats intelligently. Progent in addition offers the assistance of experienced crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised system as urgently as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not ensure that cyber hackers will respond with the codes to unencrypt any or all of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The fallback is to re-install the vital parts of your IT environment. Without the availability of complete system backups, this requires a broad range of skills, well-coordinated team management, and the willingness to work 24x7 until the job is completed.
For two decades, Progent has offered expert IT services for companies across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the capability to efficiently ascertain important systems and re-organize the remaining components of your computer network environment following a crypto-ransomware penetration and configure them into a functioning system.
Progent's ransomware group has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of acting swiftly and in concert with a customer's management and Information Technology team members to prioritize tasks and to get key services back on-line as fast as possible.
Business Case Study: A Successful Ransomware Attack Restoration
A customer contacted Progent after their network system was crashed by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state criminal gangs, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk attacks specific businesses with little ability to sustain operational disruption and is among the most profitable incarnations of crypto-ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and praying for the best, but in the end made the decision to use Progent.
"I cannot speak enough about the support Progent gave us during the most stressful period of (our) businesses life. We would have paid the cybercriminals if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and essential applications back into operation faster than five days was incredible. Each expert I talked with or e-mailed at Progent was amazingly focused on getting us back on-line and was working day and night on our behalf."
Progent worked with the client to rapidly assess and prioritize the critical services that needed to be addressed to make it possible to restart business functions:
- Windows Active Directory
- E-Mail
- Accounting and Manufacturing Software
To get going, Progent followed ransomware penetration response industry best practices by halting the spread and disinfecting systems. Progent then began the work of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the customer's MRP system used Microsoft SQL, which needs Active Directory for authentication to the data.
In less than two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then completed reinstallations and storage recovery of the most important applications. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST files (Outlook Offline Folder Files) on team PCs to recover email information. A not too old off-line backup of the businesses accounting/MRP systems made it possible to recover these required services back online for users. Although a lot of work needed to be completed to recover totally from the Ryuk event, core services were recovered quickly:
"For the most part, the production line operation showed little impact and we made all customer orders."
Over the following month critical milestones in the recovery project were accomplished through tight collaboration between Progent consultants and the customer:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were 100% functional.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user desktops and notebooks were back into operation.
"So much of what happened in the early hours is mostly a blur for me, but our team will not forget the commitment all of you accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."
Conclusion
A potential business-ending catastrophe was evaded due to results-oriented professionals, a broad range of IT skills, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware incident detailed here could have been shut down with current cyber security technology solutions and recognized best practices, user training, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, removal, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get rested after we got over the most critical parts. All of you did an fabulous job, and if anyone is around the Chicago area, dinner is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Brighton a portfolio of remote monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day variants of crypto-ransomware that are able to get past legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the entire malware attack progression including protection, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and monitor your backup operations and allow non-disruptive backup and fast restoration of critical files, applications, system images, and VMs. ProSight DPS lets your business recover from data loss caused by equipment breakdown, natural disasters, fire, malware like ransomware, human error, malicious employees, or application glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security companies to provide centralized management and comprehensive protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, optimize and debug their networking hardware like switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, finding appliances that need critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT personnel and your Progent consultant so all looming problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hardware environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time spent searching for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to defend endpoints as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to address the complete malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Call Center: Support Desk Managed Services
Progent's Call Desk managed services allow your information technology staff to outsource Call Center services to Progent or split responsibilities for Service Desk support transparently between your in-house network support resources and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Shared Service Desk provides a seamless supplement to your in-house IT support team. User access to the Help Desk, provision of technical assistance, escalation, trouble ticket generation and tracking, performance measurement, and management of the service database are cohesive regardless of whether issues are taken care of by your in-house network support resources, by Progent, or both. Learn more about Progent's outsourced/co-managed Service Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer businesses of all sizes a flexible and affordable solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT network. Besides maximizing the protection and reliability of your computer environment, Progent's patch management services allow your IT team to concentrate on more strategic initiatives and activities that deliver the highest business value from your information network. Read more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected application and enter your password you are asked to confirm who you are via a device that only you have and that uses a different network channel. A broad selection of devices can be used as this added form of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For more information about Duo identity authentication services, refer to Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth management reporting plug-ins designed to work with the leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Brighton 24/7 Crypto-Ransomware Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.