Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for organizations unprepared for an attack. Multiple generations of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional as yet unnamed malware, not only do encryption of on-line information but also infect most accessible system protection. Information replicated to the cloud can also be held hostage. In a poorly designed data protection solution, it can make any recovery useless and basically sets the entire system back to zero.
Retrieving applications and information following a ransomware outage becomes a race against time as the targeted business tries its best to stop lateral movement, remove the crypto-ransomware, and restore mission-critical operations. Since ransomware needs time to move laterally, assaults are usually sprung at night, when attacks in many cases take more time to notice. This multiplies the difficulty of promptly marshalling and coordinating a qualified mitigation team.
Progent offers a range of services for securing organizations from ransomware penetrations. Among these are staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with machine learning capabilities from SentinelOne to discover and suppress new cyber attacks rapidly. Progent in addition can provide the assistance of veteran crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to decipher all your data. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The fallback is to setup from scratch the vital parts of your IT environment. Without access to complete system backups, this calls for a broad range of IT skills, well-coordinated project management, and the capability to work continuously until the job is complete.
For two decades, Progent has offered professional Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably identify necessary systems and consolidate the remaining parts of your network system following a ransomware event and configure them into a functioning system.
Progent's recovery group has powerful project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of working swiftly and in unison with a customer's management and IT resources to prioritize tasks and to put key applications back on-line as soon as possible.
Case Study: A Successful Ransomware Intrusion Response
A small business contacted Progent after their network system was penetrated by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state hackers, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with limited ability to sustain disruption and is one of the most profitable iterations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago with around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but ultimately engaged Progent.
"I can't tell you enough in regards to the expertise Progent provided us throughout the most critical time of (our) company's life. We would have paid the criminal gangs if it wasn't for the confidence the Progent experts afforded us. That you could get our messaging and production servers back faster than seven days was earth shattering. Every single expert I interacted with or e-mailed at Progent was laser focused on getting us restored and was working at all hours to bail us out."
Progent worked with the customer to rapidly get our arms around and prioritize the key elements that needed to be addressed in order to resume business functions:
- Active Directory
- Exchange Server
- MRP System
To get going, Progent followed Anti-virus event response best practices by halting lateral movement and removing active viruses. Progent then started the work of recovering Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft technology. Exchange email will not function without Windows AD, and the businesses' MRP applications used Microsoft SQL, which depends on Active Directory services for authentication to the databases.
Within 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery of the most important servers. All Exchange data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Offline Data Files) on staff PCs in order to recover mail messages. A not too old off-line backup of the customer's financials/MRP systems made them able to return these vital programs back online. Although a lot of work still had to be done to recover totally from the Ryuk attack, core systems were restored quickly:
"For the most part, the manufacturing operation never missed a beat and we made all customer sales."
Over the next month key milestones in the recovery process were made through tight cooperation between Progent team members and the client:
- Internal web applications were returned to operation with no loss of data.
- The MailStore Server with over four million historical emails was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory functions were fully operational.
- A new Palo Alto 850 firewall was brought on-line.
- Ninety percent of the user desktops were being used by staff.
"So much of what was accomplished in the early hours is mostly a haze for me, but we will not forget the commitment each and every one of the team put in to give us our business back. I've utilized Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered. This time was a life saver."
Conclusion
A likely business-ending disaster was averted by hard-working professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in hindsight the crypto-ransomware virus penetration detailed here could have been identified and prevented with modern cyber security technology and security best practices, staff training, and well designed incident response procedures for information backup and applying software patches, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we got through the initial push. Everyone did an impressive job, and if any of your team is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Cambridge a portfolio of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include modern AI technology to detect new variants of ransomware that are able to get past traditional signature-based security solutions.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the state of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT staff and your Progent consultant so all potential problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-driven platform for managing your client-server infrastructure by providing an environment for streamlining common time-consuming tasks. These can include health checking, update management, automated remediation, endpoint configuration, backup and restore, anti-virus defense, remote access, built-in and custom scripts, asset inventory, endpoint profile reports, and troubleshooting support. When ProSight LAN Watch with NinjaOne RMM uncovers a serious problem, it sends an alarm to your specified IT management staff and your Progent technical consultant so potential problems can be fixed before they impact productivity. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always current, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, finding appliances that need critical software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time and in-depth reporting tools created to work with the industry's leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with advanced backup software companies to create ProSight Data Protection Services, a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your backup operations and enable transparent backup and fast recovery of critical files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, user mistakes, malicious employees, or software bugs. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to deliver web-based control and comprehensive protection for all your email traffic. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured application and enter your password you are requested to verify who you are on a device that only you possess and that is accessed using a different network channel. A wide selection of devices can be used as this added form of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. To learn more about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services for access security.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Help Center managed services enable your information technology staff to outsource Call Center services to Progent or split activity for Help Desk services transparently between your internal support group and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your in-house network support organization. Client access to the Help Desk, provision of technical assistance, problem escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are cohesive regardless of whether incidents are taken care of by your internal network support group, by Progent, or by a combination. Read more about Progent's outsourced/shared Help Desk services.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis technology to guard endpoint devices as well as servers and VMs against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-based AV products. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer businesses of any size a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving information system. Besides maximizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT staff to focus on more strategic initiatives and activities that derive maximum business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a unified platform to address the complete threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you demonstrate compliance with legal and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.
For Cambridge 24/7/365 Crypto Removal Help, call Progent at 800-462-8800 or go to Contact Progent.