Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses poorly prepared for an assault. Versions of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict havoc. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with more unnamed viruses, not only encrypt online critical data but also infect any available system backups. Information synched to cloud environments can also be rendered useless. In a vulnerable environment, it can make automatic restoration impossible and basically sets the entire system back to square one.
Getting back on-line services and information after a ransomware attack becomes a sprint against time as the victim fights to contain and clear the ransomware and to resume enterprise-critical operations. Due to the fact that crypto-ransomware needs time to spread, assaults are usually sprung on weekends and holidays, when penetrations are likely to take longer to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.
Progent has a range of solutions for protecting enterprises from ransomware penetrations. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with machine learning capabilities from SentinelOne to identify and disable day-zero threats quickly. Progent also provides the assistance of experienced crypto-ransomware recovery professionals with the skills and commitment to restore a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to unencrypt any of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the vital components of your IT environment. Without access to complete information backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work 24x7 until the task is finished.
For two decades, Progent has offered expert IT services for businesses in Cabo Frio and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise provides Progent the capability to efficiently understand important systems and organize the remaining pieces of your IT environment following a crypto-ransomware event and configure them into a functioning system.
Progent's ransomware team of experts has top notch project management systems to coordinate the complex restoration process. Progent knows the urgency of acting quickly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to put critical applications back on-line as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Recovery
A small business contacted Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, possibly using approaches leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little tolerance for disruption and is among the most profitable incarnations of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with about 500 workers. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end engaged Progent.
"I cannot speak enough about the care Progent gave us during the most fearful period of (our) businesses existence. We most likely would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent team provided us. The fact that you could get our e-mail and important applications back on-line quicker than one week was incredible. Each staff member I got help from or communicated with at Progent was totally committed on getting our system up and was working 24/7 on our behalf."
Progent worked hand in hand the client to rapidly understand and assign priority to the mission critical applications that had to be addressed in order to restart departmental operations:
- Active Directory (AD)
- Electronic Mail
- Accounting/MRP
To get going, Progent adhered to AV/Malware Processes incident response best practices by stopping the spread and cleaning up infected systems. Progent then started the work of restoring Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the customer's MRP applications utilized Microsoft SQL, which requires Active Directory services for access to the databases.
In less than two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery on the most important applications. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers to recover mail data. A not too old offline backup of the customer's accounting software made it possible to recover these vital services back on-line. Although a large amount of work was left to recover totally from the Ryuk attack, critical systems were returned to operations quickly:
"For the most part, the production operation showed little impact and we delivered all customer deliverables."
Throughout the following few weeks important milestones in the restoration project were completed through close cooperation between Progent team members and the customer:
- In-house web sites were brought back up with no loss of information.
- The MailStore Exchange Server with over four million archived emails was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory capabilities were fully functional.
- A new Palo Alto 850 firewall was set up.
- Most of the desktop computers were fully operational.
"So much of what went on in the initial days is nearly entirely a fog for me, but I will not soon forget the countless hours all of you put in to help get our business back. I have trusted Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This situation was a stunning achievement."
Conclusion
A probable business-ending catastrophe was dodged through the efforts of dedicated professionals, a broad range of technical expertise, and tight teamwork. Although in hindsight the ransomware penetration described here could have been identified and stopped with modern security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), I'm grateful for letting me get rested after we got over the initial push. Everyone did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Cabo Frio a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation AI technology to uncover zero-day variants of crypto-ransomware that can get past traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate action. Progent can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with leading backup technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products automate and track your data backup processes and allow non-disruptive backup and rapid restoration of important files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, user error, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to deliver web-based control and world-class protection for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, track, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex network management activities, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating devices that need critical software patches, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system running at peak levels by checking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that any looming issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save as much as half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether you're planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based analysis tools to guard endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to automate the complete threat lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Service Desk: Help Desk Managed Services
Progent's Help Center managed services permit your information technology team to offload Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal support resources and Progent's nationwide roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a transparent extension of your in-house network support staff. End user access to the Service Desk, delivery of support services, issue escalation, trouble ticket creation and updates, performance metrics, and maintenance of the service database are cohesive whether issues are taken care of by your in-house support organization, by Progent's team, or by a combination. Learn more about Progent's outsourced/shared Service Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide organizations of any size a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving information network. In addition to maximizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to focus on line-of-business initiatives and activities that deliver the highest business value from your information network. Find out more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With 2FA, when you log into a protected application and enter your password you are requested to confirm your identity via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be used as this added form of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. To find out more about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time management reporting plug-ins created to integrate with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Cabo Frio 24/7 Ransomware Repair Help, contact Progent at 800-462-8800 or go to Contact Progent.