Ransomware : Your Feared Information Technology Nightmare
Ransomware has become an escalating cyberplague that poses an existential danger for organizations poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict havoc. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent as yet unnamed viruses, not only do encryption of online critical data but also infiltrate most configured system backup. Information synchronized to cloud environments can also be ransomed. In a poorly designed environment, this can render automated restoration impossible and effectively sets the network back to zero.
Retrieving programs and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to contain and remove the ransomware and to restore enterprise-critical activity. Because ransomware needs time to replicate, penetrations are usually launched on weekends and holidays, when penetrations typically take longer to discover. This multiplies the difficulty of quickly marshalling and organizing an experienced mitigation team.
Progent has a variety of support services for securing organizations from ransomware events. Among these are team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with AI capabilities from SentinelOne to detect and disable day-zero threats intelligently. Progent also offers the assistance of veteran ransomware recovery engineers with the skills and commitment to rebuild a breached system as soon as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the keys to decrypt all your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the mission-critical components of your IT environment. Without access to essential data backups, this calls for a wide complement of skill sets, well-coordinated project management, and the capability to work continuously until the task is done.
For decades, Progent has provided certified expert IT services for businesses in Campinas and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably determine necessary systems and consolidate the remaining pieces of your IT system after a ransomware event and configure them into a functioning network.
Progent's ransomware team of experts deploys powerful project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and in concert with a customer's management and IT resources to assign priority to tasks and to put key systems back on-line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Response
A business sought out Progent after their company was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored cybercriminals, possibly using techniques exposed from America's NSA organization. Ryuk attacks specific companies with limited tolerance for operational disruption and is among the most lucrative versions of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I cannot tell you enough about the expertise Progent provided us during the most stressful time of (our) businesses existence. We may have had to pay the hackers behind this attack if it wasn't for the confidence the Progent team provided us. The fact that you could get our e-mail and essential servers back quicker than five days was earth shattering. Every single person I spoke to or communicated with at Progent was hell bent on getting my company operational and was working 24/7 on our behalf."
Progent worked together with the customer to quickly assess and assign priority to the most important services that needed to be recovered to make it possible to restart business operations:
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by isolating and cleaning up infected systems. Progent then started the task of bringing back online Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the client's accounting and MRP system utilized Microsoft SQL, which requires Windows AD for authentication to the information.
- Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on various desktop computers in order to recover email data. A not too old off-line backup of the customer's accounting software made them able to recover these vital services back online for users. Although major work was left to recover completely from the Ryuk virus, critical services were restored quickly:
"For the most part, the production line operation never missed a beat and we delivered all customer shipments."
Over the next few weeks key milestones in the recovery process were achieved through tight cooperation between Progent team members and the customer:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Exchange Server exceeding 4 million historical emails was brought online and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Nearly all of the desktops and laptops were fully operational.
"So much of what transpired that first week is nearly entirely a blur for me, but our team will not soon forget the countless hours all of you put in to help get our company back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has come through and delivered as promised. This situation was no exception but maybe more Herculean."
A likely enterprise-killing catastrophe was dodged with top-tier professionals, a wide range of technical expertise, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here would have been identified and disabled with advanced cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and appropriate security procedures for data protection and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thanks very much for making it so I could get some sleep after we made it over the initial push. All of you did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Campinas a range of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate modern machine learning technology to uncover zero-day strains of ransomware that can get past legacy signature-based anti-virus products.
For Campinas 24/7 Crypto-Ransomware Cleanup Consulting, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to automate the entire threat lifecycle including protection, detection, containment, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies packaged within one agent accessible from a unified control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for immediate action. Progent can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and track your backup processes and allow non-disruptive backup and rapid restoration of important files, applications, images, and VMs. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural disasters, fire, malware such as ransomware, human mistakes, malicious employees, or software glitches. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver web-based management and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and saves network bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for inbound email. For outgoing email, the local security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious network management processes, WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, finding devices that require important updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the state of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so all looming problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis tools to defend endpoint devices and physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to address the entire threat progression including filtering, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Center: Support Desk Managed Services
Progent's Call Desk managed services enable your IT team to outsource Call Center services to Progent or divide activity for Service Desk support transparently between your in-house network support staff and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless supplement to your in-house IT support organization. End user access to the Service Desk, delivery of support, issue escalation, trouble ticket generation and tracking, performance measurement, and management of the service database are consistent regardless of whether issues are resolved by your core IT support resources, by Progent, or by a combination. Read more about Progent's outsourced/shared Service Desk services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to concentrate on more strategic projects and activities that deliver maximum business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a secured application and give your password you are requested to confirm who you are on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized as this second means of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate several validation devices. To learn more about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time and in-depth reporting tools created to work with the industry's leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-through or machines with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.