Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause damage. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as daily as yet unnamed newcomers, not only encrypt online data but also infect all accessible system backup. Data synchronized to cloud environments can also be rendered useless. In a poorly architected data protection solution, it can render automatic restoration impossible and effectively sets the datacenter back to square one.
Getting back on-line services and data after a crypto-ransomware attack becomes a sprint against time as the victim struggles to contain the damage and eradicate the crypto-ransomware and to resume enterprise-critical operations. Because ransomware needs time to move laterally, assaults are often launched during nights and weekends, when successful attacks in many cases take longer to discover. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.
Progent provides a range of help services for protecting organizations from ransomware events. Among these are team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with artificial intelligence technology from SentinelOne to identify and quarantine day-zero threats quickly. Progent also can provide the assistance of expert ransomware recovery engineers with the track record and commitment to re-deploy a breached network as soon as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed codes to decrypt all your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the key parts of your Information Technology environment. Without the availability of complete system backups, this requires a broad complement of IT skills, professional project management, and the willingness to work continuously until the task is done.
For twenty years, Progent has offered expert Information Technology services for businesses in Bristol and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise gives Progent the skills to rapidly ascertain necessary systems and organize the surviving components of your IT system after a crypto-ransomware event and rebuild them into a functioning system.
Progent's security group has top notch project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and in unison with a customer's management and Information Technology staff to prioritize tasks and to get key systems back online as soon as possible.
Client Story: A Successful Ransomware Attack Restoration
A small business sought out Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean state sponsored hackers, suspected of using technology exposed from the U.S. NSA organization. Ryuk targets specific businesses with little or no tolerance for operational disruption and is among the most lucrative instances of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with around 500 workers. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and hoping for the best, but in the end made the decision to use Progent.
"I can't say enough about the care Progent gave us during the most critical period of (our) company's survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent team provided us. The fact that you were able to get our messaging and important applications back faster than 1 week was incredible. Every single consultant I got help from or texted at Progent was hell bent on getting our system up and was working all day and night on our behalf."
Progent worked together with the client to rapidly get our arms around and assign priority to the essential applications that had to be addressed to make it possible to continue departmental functions:
To begin, Progent followed ransomware event mitigation industry best practices by isolating and performing virus removal steps. Progent then initiated the task of restoring Windows Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the client's financials and MRP applications utilized SQL Server, which depends on Active Directory for access to the data.
- Active Directory
- Electronic Mail
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then helped perform setup and hard drive recovery on critical systems. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to find local OST files (Microsoft Outlook Off-Line Data Files) on various workstations to recover mail messages. A not too old off-line backup of the client's manufacturing systems made it possible to recover these essential programs back servicing users. Although significant work was left to recover totally from the Ryuk attack, the most important services were recovered rapidly:
"For the most part, the production line operation survived unscathed and we did not miss any customer shipments."
Throughout the next couple of weeks key milestones in the recovery project were made through close cooperation between Progent team members and the client:
- Self-hosted web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully operational.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Most of the desktops and laptops were functioning as before the incident.
"Much of what went on during the initial response is mostly a fog for me, but my management will not soon forget the care each of you accomplished to give us our business back. I've trusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This event was a testament to your capabilities."
A likely business catastrophe was averted due to top-tier experts, a wide array of subject matter expertise, and tight teamwork. Although in hindsight the ransomware virus penetration described here should have been identified and blocked with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, user education, and well thought out incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), I'm grateful for making it so I could get rested after we got over the most critical parts. All of you did an impressive job, and if any of your guys is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Bristol a portfolio of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services utilize modern artificial intelligence technology to uncover new variants of ransomware that are able to get past legacy signature-based security products.
For 24x7x365 Bristol Ransomware Repair Consulting, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you prove compliance with legal and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services, a portfolio of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and enable transparent backup and fast recovery of important files/folders, applications, images, and VMs. ProSight DPS lets you avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security vendors to provide centralized control and comprehensive protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of inspection for incoming email. For outgoing email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, monitor, enhance and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that require important software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system running at peak levels by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT management personnel and your Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior machine learning technology to guard endpoints as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. Progent ASM services safeguard local and cloud resources and offers a unified platform to automate the complete threat lifecycle including protection, identification, containment, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Service Center: Help Desk Managed Services
Progent's Help Center services permit your IT staff to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your internal support resources and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a seamless extension of your internal IT support team. User interaction with the Service Desk, provision of technical assistance, issue escalation, ticket creation and updates, performance metrics, and maintenance of the service database are consistent whether incidents are resolved by your corporate support group, by Progent, or by a combination. Read more about Progent's outsourced/shared Help Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer businesses of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving IT system. In addition to maximizing the security and reliability of your IT network, Progent's patch management services free up time for your IT team to concentrate on more strategic projects and tasks that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you sign into a protected application and enter your password you are requested to confirm your identity on a device that only you possess and that is accessed using a different network channel. A broad range of devices can be utilized for this second means of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate several verification devices. To find out more about ProSight Duo two-factor identity validation services, visit Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth reporting plug-ins created to work with the leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.