Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to inflict harm. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as additional as yet unnamed newcomers, not only encrypt on-line files but also infiltrate most available system backups. Information synchronized to cloud environments can also be encrypted. In a poorly designed environment, it can render automatic restoration impossible and basically sets the network back to zero.
Retrieving programs and data after a crypto-ransomware attack becomes a sprint against time as the targeted organization fights to stop lateral movement, remove the ransomware, and restore business-critical activity. Due to the fact that crypto-ransomware takes time to replicate, assaults are frequently launched during nights and weekends, when attacks tend to take more time to recognize. This multiplies the difficulty of promptly marshalling and organizing a qualified mitigation team.
Progent makes available a variety of solutions for securing businesses from ransomware attacks. Among these are team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security appliances with machine learning technology from SentinelOne to detect and quarantine zero-day threats quickly. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the track record and commitment to restore a breached system as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that cyber criminals will return the keys to decrypt all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The other path is to setup from scratch the critical components of your IT environment. Without access to essential system backups, this requires a broad complement of skill sets, top notch team management, and the willingness to work non-stop until the job is completed.
For twenty years, Progent has offered expert IT services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the ability to efficiently identify critical systems and consolidate the surviving components of your Information Technology system after a crypto-ransomware event and rebuild them into a functioning network.
Progent's security group utilizes powerful project management applications to coordinate the sophisticated recovery process. Progent understands the importance of acting quickly and in unison with a customer's management and Information Technology resources to prioritize tasks and to get critical systems back online as fast as possible.
Client Case Study: A Successful Ransomware Attack Recovery
A customer hired Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored hackers, suspected of using approaches leaked from the United States National Security Agency. Ryuk goes after specific companies with little ability to sustain disruption and is among the most lucrative incarnations of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk penetration had brought down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.
"I cannot tell you enough about the help Progent gave us during the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals if not for the confidence the Progent group provided us. That you were able to get our messaging and critical servers back in less than one week was beyond my wildest dreams. Each staff member I spoke to or texted at Progent was amazingly focused on getting us back online and was working 24/7 to bail us out."
Progent worked with the client to rapidly assess and assign priority to the critical systems that had to be restored in order to continue departmental functions:
- Windows Active Directory
- Exchange Server
- MRP System
To start, Progent adhered to Anti-virus incident mitigation industry best practices by stopping the spread and clearing infected systems. Progent then started the process of rebuilding Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange email will not operate without Windows AD, and the businesses' accounting and MRP applications leveraged Microsoft SQL Server, which requires Windows AD for authentication to the databases.
In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then performed reinstallations and hard drive recovery of essential servers. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Off-Line Data Files) on staff workstations in order to recover mail data. A recent offline backup of the businesses financials/ERP software made it possible to recover these essential services back online. Although a large amount of work needed to be completed to recover completely from the Ryuk event, critical systems were recovered quickly:
"For the most part, the production operation showed little impact and we did not miss any customer orders."
Over the next few weeks important milestones in the recovery process were accomplished in close cooperation between Progent consultants and the customer:
- Internal web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto 850 security appliance was installed.
- Ninety percent of the desktop computers were operational.
"A huge amount of what was accomplished in the early hours is nearly entirely a haze for me, but I will not soon forget the care each and every one of the team put in to help get our company back. I have trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This event was a life saver."
Conclusion
A potential company-ending catastrophe was averted with dedicated professionals, a broad array of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware incident detailed here should have been identified and prevented with up-to-date security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for allowing me to get some sleep after we made it through the initial fire. All of you did an incredible job, and if anyone that helped is around the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Bristol a portfolio of remote monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services include next-generation machine learning technology to detect new strains of ransomware that are able to evade legacy signature-based security products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT staff and your assigned Progent consultant so that all potential problems can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven platform for monitoring and managing your network, server, and desktop devices by providing an environment for streamlining common time-consuming jobs. These include health monitoring, update management, automated remediation, endpoint setup, backup and recovery, anti-virus defense, remote access, built-in and custom scripts, asset inventory, endpoint profile reports, and troubleshooting help. When ProSight LAN Watch with NinjaOne RMM identifies a serious incident, it transmits an alarm to your designated IT management staff and your assigned Progent technical consultant so that emerging issues can be taken care of before they impact your network. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, track, optimize and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that need critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding suite of real-time and in-depth reporting utilities designed to integrate with the top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services, a selection of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your backup processes and allow transparent backup and fast recovery of important files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user error, malicious employees, or software bugs. Managed backup services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard managed service combines cloud-based filtering with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for inbound email. For outgoing email, the local gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Android, and other personal devices. With 2FA, whenever you log into a protected online account and give your password you are asked to confirm who you are via a device that only you possess and that uses a different network channel. A broad selection of out-of-band devices can be used as this added means of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple verification devices. For details about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication services.
- Outsourced/Co-managed Call Desk: Support Desk Managed Services
Progent's Call Desk services permit your IT group to outsource Help Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support staff and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your in-house network support organization. Client interaction with the Service Desk, provision of support, issue escalation, trouble ticket creation and updates, efficiency measurement, and maintenance of the service database are consistent regardless of whether incidents are resolved by your core support group, by Progent, or both. Find out more about Progent's outsourced/shared Service Center services.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the entire malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate up to half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer organizations of any size a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic information system. Besides optimizing the security and reliability of your IT network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business projects and tasks that deliver maximum business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
For 24-Hour Bristol Crypto Recovery Help, call Progent at 800-462-8800 or go to Contact Progent.