Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become an escalating cyberplague that poses an extinction-level threat for organizations unprepared for an attack. Different versions of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause havoc. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with additional unnamed viruses, not only encrypt on-line data files but also infiltrate most accessible system restores and backups. Data synchronized to cloud environments can also be encrypted. In a vulnerable environment, this can make automated recovery impossible and basically sets the entire system back to square one.
Getting back on-line applications and information after a ransomware intrusion becomes a race against the clock as the victim tries its best to stop lateral movement and remove the crypto-ransomware and to restore business-critical operations. Because ransomware takes time to spread, attacks are usually launched during weekends and nights, when successful penetrations tend to take more time to uncover. This compounds the difficulty of promptly marshalling and organizing a qualified response team.
Progent offers a variety of support services for securing organizations from ransomware attacks. These include user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with machine learning technology from SentinelOne to detect and extinguish new threats quickly. Progent in addition offers the services of seasoned ransomware recovery engineers with the talent and commitment to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the needed codes to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the essential elements of your IT environment. Without the availability of full information backups, this calls for a wide complement of skill sets, well-coordinated team management, and the willingness to work 24x7 until the job is completed.
For decades, Progent has provided expert IT services for companies in Cambridge and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise affords Progent the capability to quickly determine critical systems and consolidate the remaining parts of your network system after a ransomware event and assemble them into an operational system.
Progent's ransomware team uses powerful project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and Information Technology resources to prioritize tasks and to get the most important services back on line as fast as possible.
Client Case Study: A Successful Ransomware Virus Response
A business sought out Progent after their organization was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state hackers, possibly adopting algorithms exposed from the United States NSA organization. Ryuk targets specific companies with limited room for operational disruption and is among the most profitable incarnations of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago with around 500 workers. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (more than $200K) and hoping for good luck, but in the end called Progent.
"I can't say enough about the support Progent provided us throughout the most critical time of (our) businesses life. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent team provided us. The fact that you could get our e-mail system and production applications back into operation quicker than five days was earth shattering. Every single expert I talked with or texted at Progent was totally committed on getting us operational and was working 24/7 to bail us out."
Progent worked together with the customer to quickly assess and prioritize the critical areas that needed to be recovered to make it possible to continue company functions:
- Microsoft Active Directory
- E-Mail
- Accounting/MRP
To begin, Progent adhered to ransomware penetration mitigation best practices by isolating and cleaning systems of viruses. Progent then initiated the task of recovering Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange email will not operate without AD, and the customer's MRP software leveraged SQL Server, which requires Active Directory services for security authorization to the information.
Within two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery of mission critical systems. All Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Data Files) on staff workstations and laptops to recover email information. A recent off-line backup of the customer's financials/MRP systems made them able to return these vital applications back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk virus, core services were returned to operations rapidly:
"For the most part, the production line operation did not miss a beat and we did not miss any customer shipments."
Over the next month critical milestones in the recovery process were completed through close cooperation between Progent engineers and the client:
- Internal web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server with over four million archived messages was spun up and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory functions were 100% recovered.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what happened that first week is mostly a blur for me, but my team will not soon forget the dedication each of your team accomplished to give us our business back. I have utilized Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was a testament to your capabilities."
Conclusion
A possible business-ending catastrophe was evaded through the efforts of results-oriented experts, a broad range of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here would have been shut down with advanced cyber security technology and recognized best practices, team education, and well thought out security procedures for information protection and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get rested after we got through the initial fire. All of you did an fabulous effort, and if anyone is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Cambridge a portfolio of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence technology to uncover zero-day strains of ransomware that can get past traditional signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to address the entire malware attack progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also assist you to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with leading backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and enable transparent backup and fast recovery of vital files, applications, images, plus VMs. ProSight DPS lets you protect against data loss caused by equipment failures, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to provide web-based control and world-class security for your email traffic. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper level of inspection for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, track, enhance and debug their connectivity appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration information of almost all devices on your network, monitors performance, and sends notices when issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, finding devices that need important updates, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT staff and your Progent consultant so that any looming issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as half of time thrown away looking for critical information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Learn more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to guard endpoints and servers and VMs against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based AV tools. Progent ASM services safeguard on-premises and cloud resources and offers a unified platform to manage the complete threat lifecycle including filtering, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Help Desk managed services permit your IT group to offload Support Desk services to Progent or split activity for Help Desk services transparently between your in-house support resources and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth supplement to your core network support group. Client access to the Help Desk, provision of support, escalation, ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent whether issues are resolved by your core IT support resources, by Progent, or both. Read more about Progent's outsourced/shared Service Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a flexible and affordable solution for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT network. Besides maximizing the security and functionality of your IT network, Progent's software/firmware update management services allow your in-house IT team to focus on more strategic initiatives and activities that deliver maximum business value from your network. Learn more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Android, and other personal devices. Using 2FA, whenever you sign into a protected application and enter your password you are asked to confirm who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be utilized as this second means of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate multiple verification devices. For details about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time management reporting plug-ins designed to integrate with the industry's leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-through or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Cambridge Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.