Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that represents an extinction-level danger for businesses unprepared for an assault. Different versions of ransomware like the Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause harm. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with additional unnamed viruses, not only encrypt online critical data but also infect most available system protection mechanisms. Information synched to cloud environments can also be corrupted. In a vulnerable data protection solution, this can make any restore operations hopeless and effectively knocks the network back to square one.
Retrieving applications and data after a ransomware event becomes a sprint against the clock as the targeted organization tries its best to contain the damage and clear the virus and to resume enterprise-critical activity. Due to the fact that ransomware needs time to spread, assaults are frequently sprung during weekends and nights, when successful penetrations may take longer to uncover. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.
Progent offers a range of support services for protecting businesses from ransomware penetrations. These include team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to identify and extinguish zero-day cyber attacks rapidly. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the skills and commitment to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will respond with the codes to decrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the critical components of your IT environment. Without the availability of complete information backups, this calls for a broad complement of IT skills, professional project management, and the willingness to work 24x7 until the task is done.
For decades, Progent has made available professional Information Technology services for companies in Campinas and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise affords Progent the skills to efficiently determine critical systems and organize the remaining pieces of your computer network environment after a crypto-ransomware penetration and configure them into an operational system.
Progent's recovery group uses top notch project management applications to coordinate the complicated restoration process. Progent understands the importance of acting quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to put critical systems back on line as soon as possible.
Business Case Study: A Successful Ransomware Incident Response
A customer hired Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean state criminal gangs, possibly adopting approaches leaked from the United States NSA organization. Ryuk goes after specific organizations with little or no tolerance for disruption and is among the most lucrative examples of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has around 500 employees. The Ryuk event had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200K) and praying for good luck, but in the end brought in Progent.
"I cannot say enough in regards to the support Progent gave us during the most stressful time of (our) businesses existence. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group gave us. That you could get our e-mail and production servers back into operation in less than 1 week was incredible. Every single consultant I talked with or texted at Progent was amazingly focused on getting my company operational and was working all day and night to bail us out."
Progent worked hand in hand the client to quickly identify and prioritize the key applications that had to be recovered to make it possible to restart company operations:
To start, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping the spread and removing active viruses. Progent then began the process of restoring Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the businesses' financials and MRP applications utilized SQL Server, which requires Active Directory for security authorization to the information.
- Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then completed rebuilding and storage recovery on critical servers. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Off-Line Folder Files) on team PCs in order to recover mail data. A not too old off-line backup of the businesses financials/ERP software made them able to return these required services back servicing users. Although significant work still had to be done to recover completely from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the production line operation never missed a beat and we did not miss any customer shipments."
Over the next month key milestones in the restoration project were achieved in tight collaboration between Progent engineers and the client:
- Internal web applications were restored without losing any data.
- The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100% recovered.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the user desktops and notebooks were operational.
"So much of what transpired those first few days is nearly entirely a fog for me, but I will not soon forget the commitment each and every one of you put in to give us our company back. I've been working together with Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."
A possible enterprise-killing disaster was dodged due to top-tier experts, a broad range of IT skills, and tight teamwork. Although in hindsight the crypto-ransomware attack described here should have been identified and disabled with modern cyber security technology and security best practices, team training, and appropriate security procedures for data backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), thank you for allowing me to get rested after we made it past the most critical parts. Everyone did an amazing effort, and if any of your guys is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Campinas a portfolio of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence technology to uncover new variants of crypto-ransomware that can get past legacy signature-based security solutions.
For 24/7 Campinas Crypto Repair Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup operations and allow transparent backup and rapid restoration of important files, apps, images, plus virtual machines. ProSight DPS lets you avoid data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or software glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security vendors to deliver centralized management and world-class protection for all your email traffic. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of inspection for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, track, enhance and debug their connectivity appliances such as routers, firewalls, and load balancers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration of almost all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that need critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT staff and your Progent engineering consultant so all looming problems can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hardware solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior machine learning tools to guard endpoints as well as physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching AV tools. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to address the complete threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Call Desk managed services enable your IT team to offload Help Desk services to Progent or divide activity for Help Desk services seamlessly between your internal network support team and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless extension of your in-house IT support team. End user access to the Service Desk, provision of support services, escalation, ticket generation and tracking, efficiency metrics, and maintenance of the service database are cohesive whether issues are resolved by your in-house IT support resources, by Progent's team, or both. Find out more about Progent's outsourced/shared Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide organizations of any size a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving information system. Besides maximizing the protection and functionality of your IT environment, Progent's patch management services allow your in-house IT staff to concentrate on more strategic projects and activities that deliver maximum business value from your information network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a secured online account and give your password you are requested to confirm who you are on a device that only you possess and that uses a different network channel. A wide range of out-of-band devices can be utilized for this added form of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate several verification devices. For details about Duo identity authentication services, visit Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of real-time and in-depth management reporting utilities designed to integrate with the leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.