Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses poorly prepared for an assault. Versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause damage. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as daily as yet unnamed newcomers, not only do encryption of on-line critical data but also infiltrate any available system backups. Files replicated to off-site disaster recovery sites can also be held hostage. In a poorly architected environment, this can make any recovery useless and effectively sets the network back to square one.
Getting back on-line services and information following a ransomware intrusion becomes a race against the clock as the victim struggles to stop the spread, cleanup the crypto-ransomware, and restore business-critical activity. Due to the fact that ransomware takes time to replicate, assaults are usually launched at night, when successful attacks in many cases take longer to notice. This compounds the difficulty of quickly marshalling and coordinating a qualified response team.
Progent makes available an assortment of solutions for protecting businesses from ransomware attacks. These include user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with machine learning capabilities from SentinelOne to detect and disable day-zero cyber attacks intelligently. Progent also offers the services of veteran crypto-ransomware recovery consultants with the track record and commitment to restore a compromised network as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware penetration, paying the ransom in cryptocurrency does not ensure that cyber criminals will respond with the codes to unencrypt all your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The alternative is to setup from scratch the key parts of your IT environment. Absent the availability of essential system backups, this requires a broad range of skill sets, well-coordinated team management, and the capability to work non-stop until the task is done.
For two decades, Progent has offered expert Information Technology services for companies across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience gives Progent the skills to quickly understand critical systems and organize the surviving components of your network environment after a ransomware penetration and assemble them into a functioning network.
Progent's recovery team of experts deploys state-of-the-art project management tools to orchestrate the complex recovery process. Progent appreciates the importance of working quickly and together with a customer's management and Information Technology resources to prioritize tasks and to put key services back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Virus Recovery
A business sought out Progent after their network was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored cybercriminals, possibly adopting strategies leaked from America's NSA organization. Ryuk targets specific organizations with little ability to sustain disruption and is one of the most lucrative iterations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the beginning of the attack and were encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and hoping for the best, but in the end engaged Progent.
"I cannot tell you enough in regards to the help Progent provided us during the most critical time of (our) company's existence. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent team afforded us. The fact that you were able to get our messaging and important applications back online in less than one week was incredible. Every single staff member I spoke to or messaged at Progent was hell bent on getting us back online and was working non-stop on our behalf."
Progent worked together with the client to rapidly assess and prioritize the essential systems that needed to be recovered to make it possible to resume departmental operations:
- Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes penetration response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the process of bringing back online Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange email will not function without AD, and the customer's MRP software leveraged Microsoft SQL, which needs Active Directory for access to the data.
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery on the most important applications. All Microsoft Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Email Off-Line Folder Files) on user PCs and laptops in order to recover mail messages. A recent offline backup of the businesses accounting/MRP systems made it possible to restore these vital applications back online for users. Although significant work needed to be completed to recover fully from the Ryuk damage, essential systems were restored rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer shipments."
During the next few weeks important milestones in the recovery process were achieved through close cooperation between Progent engineers and the customer:
- In-house web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server with over four million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were fully operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Most of the user desktops were functioning as before the incident.
"A lot of what was accomplished in the early hours is mostly a fog for me, but I will not forget the care each of you put in to help get our business back. I've utilized Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered as promised. This event was the most impressive ever."
Conclusion
A potential business-killing disaster was evaded by hard-working experts, a wide array of IT skills, and close teamwork. Although upon completion of forensics the ransomware virus penetration described here would have been stopped with up-to-date security systems and security best practices, user and IT administrator training, and well designed incident response procedures for information backup and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has proven experience in crypto-ransomware virus defense, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get rested after we got past the most critical parts. All of you did an amazing effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Broomfield a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern machine learning technology to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to manage the entire malware attack progression including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within one agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and allow transparent backup and fast recovery of important files, applications, images, plus virtual machines. ProSight DPS lets your business recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, user error, malicious insiders, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security vendors to provide web-based management and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity appliances like switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network maps are always updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your network operating at peak levels by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT management personnel and your Progent consultant so that all looming issues can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect data related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save up to half of time wasted looking for critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning tools to guard endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to manage the complete threat progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Call Desk services permit your information technology staff to offload Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal network support group and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your internal IT support team. Client interaction with the Help Desk, provision of support services, problem escalation, ticket generation and tracking, performance measurement, and management of the service database are cohesive whether issues are resolved by your corporate support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide organizations of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services free up time for your in-house IT staff to concentrate on line-of-business projects and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo authentication services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a secured application and enter your password you are requested to verify who you are on a device that only you possess and that uses a different network channel. A wide selection of out-of-band devices can be utilized for this added form of authentication including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register several verification devices. For details about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of in-depth management reporting plug-ins designed to work with the top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Broomfield Ransomware Repair Consultants, contact Progent at 800-462-8800 or go to Contact Progent.