Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses poorly prepared for an attack. Different iterations of ransomware such as Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus daily as yet unnamed viruses, not only do encryption of online critical data but also infiltrate many accessible system protection mechanisms. Data replicated to the cloud can also be encrypted. In a poorly architected data protection solution, this can render automated restoration useless and basically sets the datacenter back to zero.
Getting back online services and data following a ransomware intrusion becomes a race against the clock as the targeted business struggles to stop lateral movement and cleanup the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware requires time to replicate, attacks are usually launched during weekends and nights, when penetrations in many cases take longer to notice. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent makes available an assortment of services for securing organizations from ransomware penetrations. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security solutions with AI capabilities from SentinelOne to identify and disable zero-day cyber threats rapidly. Progent in addition can provide the services of experienced ransomware recovery engineers with the track record and commitment to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware event, paying the ransom in cryptocurrency does not guarantee that distant criminals will return the keys to decipher any of your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their information after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the key components of your Information Technology environment. Without access to complete information backups, this requires a wide complement of skills, well-coordinated project management, and the capability to work non-stop until the task is done.
For two decades, Progent has provided expert IT services for companies in Cabo Frio and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience provides Progent the capability to knowledgably ascertain necessary systems and re-organize the remaining pieces of your Information Technology system after a ransomware penetration and configure them into an operational network.
Progent's ransomware team uses powerful project management tools to orchestrate the complex restoration process. Progent appreciates the importance of working rapidly and in concert with a client's management and Information Technology team members to prioritize tasks and to get key applications back on-line as soon as possible.
Client Story: A Successful Ransomware Incident Recovery
A client contacted Progent after their organization was attacked by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, possibly using techniques leaked from the United States National Security Agency. Ryuk targets specific businesses with little or no room for disruption and is among the most profitable versions of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago and has about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the attack and were encrypted. The client considered paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I can't tell you enough about the support Progent gave us throughout the most fearful time of (our) company's life. We may have had to pay the hackers behind this attack if it wasn't for the confidence the Progent experts gave us. The fact that you could get our messaging and key applications back online in less than 1 week was something I thought impossible. Every single expert I talked with or e-mailed at Progent was urgently focused on getting us back online and was working at all hours on our behalf."
Progent worked together with the client to rapidly understand and prioritize the mission critical applications that had to be addressed in order to resume departmental operations:
- Active Directory (AD)
- Microsoft Exchange Server
- MRP System
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and clearing infected systems. Progent then started the process of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without AD, and the businesses' financials and MRP applications utilized SQL Server, which needs Active Directory services for access to the database.
Within 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then assisted with setup and hard drive recovery of essential servers. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on various workstations to recover mail information. A not too old offline backup of the client's financials/ERP software made them able to recover these essential applications back online for users. Although a large amount of work remained to recover totally from the Ryuk event, core systems were recovered rapidly:
"For the most part, the production line operation showed little impact and we did not miss any customer deliverables."
Over the following couple of weeks critical milestones in the restoration project were made in tight collaboration between Progent team members and the customer:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Exchange Server containing more than four million archived messages was spun up and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely functional.
- A new Palo Alto 850 firewall was brought on-line.
- Nearly all of the desktop computers were back into operation.
"A huge amount of what was accomplished during the initial response is mostly a haze for me, but my management will not soon forget the dedication each of the team accomplished to give us our business back. I have utilized Progent for the past 10 years, possibly more, and every time Progent has shined and delivered. This time was a Herculean accomplishment."
Conclusion
A likely business-killing disaster was averted due to results-oriented professionals, a broad array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware virus incident described here would have been identified and disabled with up-to-date security systems and best practices, team education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of experts has proven experience in ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thanks very much for allowing me to get some sleep after we got through the initial fire. All of you did an impressive job, and if any of your guys is in the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Cabo Frio a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include modern artificial intelligence capability to detect zero-day strains of ransomware that can evade traditional signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack progression including blocking, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and monitor your backup operations and allow transparent backup and fast recovery of vital files, applications, system images, plus VMs. ProSight DPS lets your business recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to provide centralized management and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for incoming email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, optimize and troubleshoot their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept updated, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management processes, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, locating devices that need critical software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network running at peak levels by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management staff and your Progent consultant so that any looming issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can eliminate as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based analysis tools to guard endpoints as well as servers and VMs against new malware attacks such as ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to address the entire malware attack lifecycle including protection, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Service Center: Support Desk Managed Services
Progent's Call Desk managed services permit your information technology group to outsource Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your in-house network support resources and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a transparent extension of your corporate support team. Client access to the Help Desk, delivery of support services, issue escalation, trouble ticket creation and tracking, performance measurement, and management of the service database are consistent regardless of whether incidents are resolved by your corporate support group, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Call Desk services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your IT staff to concentrate on line-of-business initiatives and tasks that deliver the highest business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Android, and other out-of-band devices. With 2FA, when you sign into a secured online account and enter your password you are asked to verify who you are on a device that only you possess and that is accessed using a different network channel. A wide selection of devices can be used for this added means of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register multiple validation devices. To find out more about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time reporting utilities created to work with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Cabo Frio Crypto Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.