Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a modern cyber pandemic that presents an existential threat for organizations unprepared for an attack. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to cause destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as more unnamed malware, not only encrypt on-line data but also infiltrate any configured system backups. Files replicated to cloud environments can also be rendered useless. In a poorly designed system, it can make any restore operations hopeless and basically knocks the datacenter back to square one.
Getting back on-line programs and information after a crypto-ransomware outage becomes a sprint against the clock as the targeted business fights to contain the damage and cleanup the ransomware and to restore mission-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are frequently sprung on weekends and holidays, when attacks may take more time to notice. This multiplies the difficulty of quickly marshalling and orchestrating a qualified response team.
Progent offers a range of solutions for securing businesses from ransomware attacks. Among these are team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security gateways with machine learning capabilities from SentinelOne to discover and quarantine zero-day cyber attacks rapidly. Progent in addition can provide the services of veteran crypto-ransomware recovery professionals with the track record and perseverance to restore a compromised system as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware attack, paying the ransom in cryptocurrency does not ensure that cyber hackers will respond with the codes to decipher any or all of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the vital components of your Information Technology environment. Absent access to complete system backups, this requires a wide complement of IT skills, well-coordinated team management, and the willingness to work 24x7 until the task is done.
For two decades, Progent has provided expert Information Technology services for companies in Bristol and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise gives Progent the ability to efficiently understand necessary systems and re-organize the surviving pieces of your computer network system after a ransomware event and rebuild them into a functioning system.
Progent's ransomware team deploys best of breed project management tools to coordinate the complex recovery process. Progent knows the importance of working swiftly and in concert with a customer's management and Information Technology resources to prioritize tasks and to put critical applications back on-line as fast as possible.
Customer Story: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their network was taken over by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, suspected of using approaches leaked from the United States National Security Agency. Ryuk goes after specific organizations with little or no room for disruption and is one of the most lucrative iterations of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago and has about 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I can't say enough about the expertise Progent gave us throughout the most critical period of (our) company's existence. We had little choice but to pay the criminal gangs if not for the confidence the Progent group provided us. That you were able to get our e-mail and essential servers back online in less than five days was beyond my wildest dreams. Every single consultant I worked with or e-mailed at Progent was amazingly focused on getting our company operational and was working day and night on our behalf."
Progent worked with the customer to rapidly assess and prioritize the key services that had to be recovered to make it possible to restart business operations:
To get going, Progent followed ransomware penetration response best practices by halting the spread and clearing infected systems. Progent then started the steps of recovering Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the customer's MRP software leveraged Microsoft SQL, which depends on Active Directory for access to the information.
- Active Directory
- Microsoft Exchange Email
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then performed setup and storage recovery on key systems. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Data Files) on various desktop computers to recover email information. A recent offline backup of the client's accounting/MRP software made them able to recover these required programs back online for users. Although a lot of work remained to recover totally from the Ryuk damage, essential services were recovered rapidly:
"For the most part, the production line operation ran fairly normal throughout and we produced all customer orders."
Over the next couple of weeks critical milestones in the restoration process were achieved in tight cooperation between Progent consultants and the customer:
- In-house web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was brought online and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100 percent restored.
- A new Palo Alto 850 security appliance was brought online.
- 90% of the user desktops were fully operational.
"Much of what occurred that first week is mostly a haze for me, but our team will not soon forget the urgency all of you accomplished to give us our business back. I've trusted Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
A probable enterprise-killing catastrophe was evaded with results-oriented experts, a broad array of technical expertise, and close collaboration. Although upon completion of forensics the ransomware incident detailed here should have been stopped with advanced security systems and security best practices, user training, and well designed security procedures for information backup and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for making it so I could get rested after we got past the initial fire. Everyone did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is my treat!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Bristol a portfolio of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence capability to uncover new variants of ransomware that can evade legacy signature-based anti-virus solutions.
For 24/7/365 Bristol Crypto Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and track your backup processes and enable non-disruptive backup and rapid restoration of vital files, applications, images, plus virtual machines. ProSight DPS lets your business avoid data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security companies to deliver centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of analysis for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity hardware like routers, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating appliances that require important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so any potential issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior machine learning tools to defend endpoint devices as well as servers and VMs against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to manage the entire malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Help Center: Support Desk Managed Services
Progent's Help Center services enable your IT staff to outsource Support Desk services to Progent or split responsibilities for Help Desk services seamlessly between your in-house support team and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth extension of your internal network support group. Client interaction with the Help Desk, delivery of support services, escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the service database are cohesive whether incidents are taken care of by your corporate IT support staff, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of any size a versatile and affordable solution for assessing, validating, scheduling, implementing, and documenting updates to your dynamic IT network. In addition to maximizing the security and reliability of your IT environment, Progent's patch management services free up time for your IT staff to concentrate on line-of-business projects and tasks that derive maximum business value from your network. Find out more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and give your password you are asked to confirm your identity via a device that only you have and that uses a different network channel. A broad selection of out-of-band devices can be used for this second means of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You can designate several verification devices. To find out more about ProSight Duo identity authentication services, refer to Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of real-time management reporting tools designed to work with the industry's leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.