Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses poorly prepared for an assault. Versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as frequent unnamed newcomers, not only encrypt on-line data but also infect many accessible system restores and backups. Information replicated to the cloud can also be held hostage. In a poorly architected system, this can render automatic restore operations hopeless and basically sets the network back to zero.
Getting back services and information after a ransomware intrusion becomes a sprint against the clock as the victim struggles to contain, clear the ransomware, and restore enterprise-critical activity. Due to the fact that crypto-ransomware requires time to move laterally, assaults are frequently sprung on weekends and holidays, when successful penetrations may take longer to recognize. This multiplies the difficulty of promptly assembling and organizing a qualified mitigation team.
Progent offers a range of support services for protecting enterprises from ransomware attacks. Among these are user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with AI capabilities from SentinelOne to detect and quarantine zero-day threats automatically. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the track record and commitment to rebuild a compromised system as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom can be in the millions of dollars. The alternative is to re-install the essential parts of your Information Technology environment. Without the availability of essential data backups, this calls for a wide range of IT skills, well-coordinated team management, and the ability to work continuously until the task is over.
For twenty years, Progent has made available certified expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the capability to knowledgably determine important systems and re-organize the surviving pieces of your IT environment after a ransomware attack and configure them into a functioning network.
Progent's security team utilizes top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of working quickly and in unison with a client's management and IT resources to assign priority to tasks and to get critical applications back on-line as fast as possible.
Case Study: A Successful Crypto-Ransomware Intrusion Response
A client hired Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, possibly using technology exposed from the U.S. NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most profitable iterations of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has around 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's data protection had been online at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately utilized Progent.
"I can't thank you enough in regards to the expertise Progent gave us throughout the most stressful period of (our) businesses survival. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent experts gave us. The fact that you could get our e-mail system and critical servers back faster than 1 week was something I thought impossible. Every single expert I talked with or communicated with at Progent was urgently focused on getting our company operational and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly get our arms around and assign priority to the key areas that had to be addressed in order to continue departmental operations:
- Active Directory
- Electronic Mail
- Financials/MRP
To begin, Progent followed ransomware penetration mitigation best practices by stopping the spread and clearing up compromised systems. Progent then started the steps of bringing back online Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the businesses' accounting and MRP applications used Microsoft SQL Server, which requires Active Directory for security authorization to the database.
In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then initiated rebuilding and storage recovery on essential applications. All Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Outlook Off-Line Data Files) on team desktop computers to recover mail data. A not too old off-line backup of the businesses accounting/ERP software made them able to restore these vital services back on-line. Although major work still had to be done to recover completely from the Ryuk attack, the most important systems were recovered quickly:
"For the most part, the production line operation did not miss a beat and we produced all customer shipments."
During the next month important milestones in the restoration project were accomplished through close collaboration between Progent consultants and the customer:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto Networks 850 firewall was set up.
- Most of the user workstations were operational.
"A lot of what went on that first week is mostly a blur for me, but my management will not forget the dedication each of you put in to help get our business back. I've been working with Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
Conclusion
A likely company-ending catastrophe was evaded due to top-tier experts, a broad range of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware virus attack detailed here would have been identified and prevented with advanced security systems and best practices, staff training, and well designed incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get some sleep after we got through the initial fire. Everyone did an incredible effort, and if any of your team is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Campinas a range of online monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of ransomware that are able to evade traditional signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software delivers a unified, cloud-driven platform for monitoring and managing your network, server, and desktop devices by providing an environment for performing common tedious jobs. These can include health monitoring, update management, automated repairs, endpoint configuration, backup and recovery, A/V protection, remote access, standard and custom scripts, resource inventory, endpoint profile reports, and debugging assistance. When ProSight LAN Watch with NinjaOne RMM uncovers a serious problem, it transmits an alert to your specified IT personnel and your Progent consultant so that potential problems can be taken care of before they interfere with your network. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, optimize and debug their connectivity hardware like switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are always updated, copies and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating appliances that require important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth management reporting utilities created to integrate with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with leading backup/restore technology providers to produce ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products automate and track your backup operations and allow transparent backup and fast restoration of critical files, applications, images, plus VMs. ProSight DPS lets your business recover from data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or software glitches. Managed services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to deliver centralized management and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a further layer of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification with Apple iOS, Android, and other personal devices. With 2FA, when you sign into a protected online account and enter your password you are asked to confirm who you are on a unit that only you have and that uses a separate network channel. A wide range of devices can be used for this added form of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For more information about ProSight Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Support Center managed services permit your information technology staff to outsource Call Center services to Progent or split activity for Service Desk support transparently between your internal network support team and Progent's extensive roster of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent extension of your in-house IT support staff. Client interaction with the Help Desk, delivery of support, issue escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the support database are cohesive whether incidents are taken care of by your core network support organization, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Help Desk services.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates cutting edge behavior machine learning tools to guard endpoints and physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-based AV tools. Progent ASM services safeguard on-premises and cloud-based resources and offers a single platform to manage the entire threat progression including filtering, identification, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data about your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of any size a versatile and affordable solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your computer environment, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on more strategic initiatives and tasks that derive the highest business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and offers a unified platform to address the complete threat lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you prove compliance with government and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent's consultants can also assist you to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.
For 24/7 Campinas Crypto Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.