Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses poorly prepared for an assault. Versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with more as yet unnamed viruses, not only do encryption of on-line critical data but also infiltrate any configured system protection mechanisms. Data synchronized to cloud environments can also be corrupted. In a poorly designed data protection solution, it can render automatic restore operations hopeless and effectively knocks the entire system back to zero.
Getting back on-line programs and information following a ransomware intrusion becomes a race against time as the targeted organization fights to stop lateral movement and cleanup the virus and to resume mission-critical activity. Due to the fact that crypto-ransomware needs time to spread, assaults are usually sprung during weekends and nights, when successful penetrations are likely to take more time to uncover. This compounds the difficulty of promptly assembling and organizing a knowledgeable mitigation team.
Progent makes available a variety of support services for securing businesses from ransomware events. Among these are staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with AI capabilities from SentinelOne to discover and extinguish zero-day cyber threats quickly. Progent in addition can provide the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to restore a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware event, paying the ransom in cryptocurrency does not provide any assurance that distant criminals will return the needed keys to unencrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the vital parts of your IT environment. Absent the availability of essential data backups, this calls for a broad range of IT skills, well-coordinated team management, and the capability to work non-stop until the job is done.
For twenty years, Progent has provided certified expert IT services for businesses in Charleston and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently understand critical systems and consolidate the remaining pieces of your IT system following a ransomware penetration and rebuild them into an operational network.
Progent's security group has top notch project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of acting quickly and in concert with a client's management and IT team members to prioritize tasks and to get key systems back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Penetration Response
A business sought out Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state hackers, possibly using strategies exposed from America's National Security Agency. Ryuk seeks specific businesses with little room for operational disruption and is one of the most profitable iterations of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but in the end utilized Progent.
"I can't speak enough in regards to the support Progent provided us throughout the most critical time of (our) company's existence. We would have paid the criminal gangs if not for the confidence the Progent team provided us. The fact that you could get our messaging and critical servers back into operation in less than five days was something I thought impossible. Every single staff member I got help from or texted at Progent was totally committed on getting us back on-line and was working all day and night to bail us out."
Progent worked with the client to rapidly assess and prioritize the essential services that needed to be restored to make it possible to continue company functions:
To start, Progent adhered to Anti-virus penetration response industry best practices by halting lateral movement and removing active viruses. Progent then initiated the work of rebuilding Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange messaging will not function without AD, and the client's accounting and MRP software leveraged Microsoft SQL, which needs Active Directory services for access to the information.
- Microsoft Active Directory
- MRP System
In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then completed reinstallations and hard drive recovery on critical servers. All Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team PCs in order to recover mail information. A not too old off-line backup of the businesses manufacturing software made it possible to restore these vital services back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, core systems were restored rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer orders."
Throughout the next few weeks critical milestones in the recovery project were completed in tight collaboration between Progent team members and the customer:
- Self-hosted web applications were brought back up without losing any data.
- The MailStore Exchange Server containing more than 4 million archived messages was restored to operations and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100% operational.
- A new Palo Alto Networks 850 firewall was brought online.
- Most of the desktop computers were back into operation.
"So much of what happened that first week is mostly a blur for me, but I will not soon forget the commitment each of the team put in to help get our business back. I have been working together with Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."
A likely business-ending disaster was averted with top-tier professionals, a broad array of knowledge, and tight teamwork. Although in retrospect the ransomware penetration described here could have been identified and disabled with up-to-date cyber security systems and ISO/IEC 27001 best practices, team training, and well designed security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for making it so I could get rested after we got past the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Charleston a range of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning capability to uncover new strains of ransomware that can get past legacy signature-based anti-virus products.
For 24-Hour Charleston Ransomware Repair Consulting, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily get by legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the entire threat progression including blocking, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering through cutting-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with legal and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with advanced backup technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and allow transparent backup and rapid restoration of vital files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver centralized management and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway device provides a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their networking hardware like routers, firewalls, and load balancers plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating complex management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, locating appliances that need critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT staff and your Progent engineering consultant so all potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend endpoint devices as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Call Desk services permit your information technology staff to outsource Support Desk services to Progent or split responsibilities for support services seamlessly between your internal network support resources and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless extension of your in-house IT support resources. End user access to the Help Desk, delivery of technical assistance, problem escalation, ticket creation and updates, efficiency measurement, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your core IT support staff, by Progent, or both. Learn more about Progent's outsourced/shared Help Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer organizations of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. Besides maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services permit your in-house IT team to focus on line-of-business projects and tasks that derive the highest business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo enables one-tap identity confirmation with iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a secured application and give your password you are requested to confirm who you are on a device that only you have and that uses a separate network channel. A broad selection of devices can be utilized for this added form of authentication such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. For details about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time and in-depth management reporting utilities designed to integrate with the industry's top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.