Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses vulnerable to an attack. Different versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of on-line data files but also infiltrate all available system backups. Data replicated to off-site disaster recovery sites can also be held hostage. In a vulnerable data protection solution, this can make automated recovery useless and effectively sets the datacenter back to square one.
Getting back on-line programs and data following a ransomware event becomes a sprint against the clock as the targeted organization tries its best to contain the damage, cleanup the ransomware, and restore enterprise-critical operations. Since ransomware requires time to move laterally, attacks are frequently launched during nights and weekends, when successful attacks are likely to take longer to uncover. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.
Progent makes available an assortment of solutions for securing enterprises from crypto-ransomware attacks. These include team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with machine learning technology from SentinelOne to detect and quarantine zero-day cyber attacks rapidly. Progent in addition provides the assistance of experienced ransomware recovery consultants with the skills and perseverance to rebuild a compromised environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decipher all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The other path is to setup from scratch the mission-critical parts of your Information Technology environment. Absent the availability of full information backups, this calls for a broad range of skill sets, well-coordinated project management, and the ability to work continuously until the job is finished.
For two decades, Progent has made available professional Information Technology services for companies across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to rapidly determine important systems and consolidate the remaining components of your network environment following a crypto-ransomware attack and rebuild them into a functioning network.
Progent's ransomware team of experts deploys state-of-the-art project management tools to coordinate the complicated restoration process. Progent knows the urgency of working quickly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to get the most important services back on line as fast as humanly possible.
Customer Story: A Successful Ransomware Incident Recovery
A small business hired Progent after their network system was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state criminal gangs, possibly using technology exposed from the United States NSA organization. Ryuk goes after specific businesses with limited room for operational disruption and is among the most profitable instances of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area and has around 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing processes. The majority of the client's backups had been online at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200K) and praying for the best, but ultimately reached out to Progent.
"I can't thank you enough in regards to the support Progent provided us throughout the most critical time of (our) businesses life. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group provided us. That you were able to get our messaging and important servers back faster than a week was amazing. Each person I got help from or messaged at Progent was amazingly focused on getting us working again and was working day and night to bail us out."
Progent worked with the client to rapidly understand and assign priority to the key applications that needed to be restored to make it possible to continue business functions:
- Active Directory
- Microsoft Exchange Server
- MRP System
To start, Progent followed ransomware penetration response industry best practices by halting lateral movement and removing active viruses. Progent then began the task of rebuilding Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the customer's accounting and MRP applications leveraged SQL Server, which requires Active Directory for authentication to the database.
In less than 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery of the most important applications. All Microsoft Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Data Files) on staff PCs and laptops to recover mail information. A recent offline backup of the customer's accounting software made it possible to recover these essential applications back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk event, essential systems were restored quickly:
"For the most part, the manufacturing operation was never shut down and we made all customer deliverables."
Over the following few weeks critical milestones in the restoration process were achieved through tight cooperation between Progent engineers and the customer:
- Internal web applications were brought back up without losing any information.
- The MailStore Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
- A new Palo Alto 850 firewall was brought online.
- Ninety percent of the user desktops were functioning as before the incident.
"A lot of what went on those first few days is mostly a fog for me, but our team will not soon forget the commitment all of you accomplished to help get our business back. I've entrusted Progent for the past 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was a stunning achievement."
Conclusion
A possible business-killing disaster was averted through the efforts of dedicated professionals, a wide range of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack described here could have been blocked with advanced cyber security technology and NIST Cybersecurity Framework best practices, staff training, and properly executed security procedures for information backup and applying software patches, the reality is that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get some sleep after we made it through the initial fire. All of you did an incredible job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Broomfield a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services include next-generation machine learning technology to detect zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight ASM protects local and cloud resources and provides a single platform to manage the entire threat progression including blocking, detection, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your company's specific requirements and that allows you prove compliance with government and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent's consultants can also help your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services (DPS), a portfolio of offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup processes and enable transparent backup and fast recovery of critical files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide web-based control and world-class protection for your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further level of inspection for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, optimize and debug their networking appliances like routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always current, copies and displays the configuration information of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating time-consuming management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that need important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT management personnel and your Progent engineering consultant so all potential problems can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard data about your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're making improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to guard endpoints as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to automate the entire threat progression including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Support Center services enable your information technology staff to outsource Support Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support team and Progent's nationwide pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth extension of your core network support team. Client access to the Service Desk, delivery of technical assistance, problem escalation, trouble ticket generation and updates, performance measurement, and maintenance of the service database are consistent regardless of whether issues are taken care of by your in-house support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Service Desk services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT network. Besides maximizing the security and reliability of your computer network, Progent's software/firmware update management services permit your in-house IT staff to concentrate on more strategic projects and tasks that derive the highest business value from your information network. Learn more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected application and give your password you are asked to confirm who you are on a unit that only you have and that is accessed using a different network channel. A wide selection of devices can be utilized for this second means of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple verification devices. For more information about ProSight Duo identity validation services, see Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of real-time and in-depth reporting plug-ins created to integrate with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Broomfield 24/7/365 Crypto Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.