Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations vulnerable to an attack. Multiple generations of ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as daily as yet unnamed malware, not only do encryption of on-line files but also infiltrate most configured system protection mechanisms. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can make any recovery hopeless and basically knocks the network back to square one.
Getting back online programs and data following a ransomware intrusion becomes a race against time as the targeted business tries its best to contain the damage and clear the ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to replicate, attacks are frequently launched on weekends, when penetrations are likely to take longer to identify. This multiplies the difficulty of rapidly mobilizing and coordinating a qualified response team.
Progent offers a variety of help services for protecting organizations from ransomware events. These include user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with artificial intelligence technology from SentinelOne to detect and quarantine zero-day cyber attacks rapidly. Progent also provides the services of veteran ransomware recovery professionals with the talent and commitment to restore a compromised environment as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware penetration, sending the ransom in cryptocurrency does not guarantee that cyber hackers will provide the needed codes to decrypt all your information. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to setup from scratch the mission-critical components of your Information Technology environment. Absent access to complete system backups, this requires a broad complement of skills, top notch team management, and the willingness to work 24x7 until the recovery project is completed.
For decades, Progent has made available professional Information Technology services for companies in Cabo Frio and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience gives Progent the ability to knowledgably ascertain critical systems and re-organize the remaining parts of your network environment after a ransomware attack and rebuild them into a functioning network.
Progent's ransomware group has best of breed project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to get key systems back online as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business escalated to Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state sponsored criminal gangs, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no ability to sustain disruption and is one of the most lucrative instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately utilized Progent.
"I can't say enough about the care Progent gave us during the most fearful time of (our) businesses survival. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent group provided us. The fact that you could get our e-mail system and production applications back on-line quicker than a week was beyond my wildest dreams. Every single person I got help from or messaged at Progent was urgently focused on getting us operational and was working non-stop to bail us out."
Progent worked with the client to rapidly identify and prioritize the mission critical systems that needed to be restored to make it possible to restart company functions:
To start, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then started the steps of bringing back online Microsoft AD, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businesses' financials and MRP system utilized Microsoft SQL, which requires Active Directory for security authorization to the database.
- Microsoft Active Directory
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery on key applications. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Email Offline Data Files) on various PCs and laptops in order to recover mail data. A not too old offline backup of the customer's manufacturing systems made it possible to recover these vital applications back online. Although a lot of work remained to recover completely from the Ryuk event, essential services were restored rapidly:
"For the most part, the production line operation never missed a beat and we made all customer deliverables."
During the following month key milestones in the restoration process were accomplished in tight collaboration between Progent team members and the client:
- Internal web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100% operational.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the desktops and laptops were operational.
"So much of what occurred that first week is nearly entirely a blur for me, but my team will not soon forget the care all of the team put in to give us our company back. I've been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This time was no exception but maybe more Herculean."
A likely company-ending disaster was evaded due to dedicated experts, a wide range of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware incident detailed here should have been shut down with modern security technology and NIST Cybersecurity Framework best practices, staff education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get some sleep after we got over the first week. Everyone did an fabulous effort, and if anyone is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Cabo Frio a range of remote monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services incorporate modern artificial intelligence technology to detect zero-day variants of ransomware that can evade traditional signature-based anti-virus solutions.
For Cabo Frio 24x7x365 Crypto-Ransomware Remediation Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including protection, detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with leading backup software companies to produce ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your backup operations and allow non-disruptive backup and rapid restoration of vital files/folders, apps, images, plus VMs. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to deliver centralized control and comprehensive security for your email traffic. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that need critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT personnel and your assigned Progent engineering consultant so any potential issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can save as much as 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning technology to guard endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a unified platform to manage the entire malware attack progression including filtering, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
Progent's Help Center services enable your information technology group to offload Help Desk services to Progent or split activity for Help Desk services seamlessly between your in-house network support group and Progent's extensive roster of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth extension of your core support staff. User access to the Help Desk, provision of support services, issue escalation, trouble ticket creation and tracking, efficiency measurement, and management of the service database are cohesive whether issues are resolved by your core IT support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Help Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer organizations of all sizes a flexible and affordable solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. Besides optimizing the protection and reliability of your computer environment, Progent's software/firmware update management services allow your IT staff to focus on line-of-business projects and activities that derive maximum business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication services incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to confirm your identity via a device that only you possess and that is accessed using a separate network channel. A wide selection of out-of-band devices can be utilized for this second form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. For more information about ProSight Duo identity authentication services, go to Duo MFA two-factor authentication (2FA) services.