Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyberplague that presents an existential threat for organizations vulnerable to an assault. Different versions of crypto-ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict destruction. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with daily as yet unnamed newcomers, not only do encryption of on-line data files but also infect many accessible system backup. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, it can make any recovery hopeless and basically knocks the network back to zero.
Getting back online applications and data after a ransomware outage becomes a race against the clock as the targeted business tries its best to stop lateral movement and eradicate the virus and to resume mission-critical activity. Since ransomware requires time to spread, attacks are often sprung on weekends, when successful attacks are likely to take more time to notice. This compounds the difficulty of rapidly assembling and orchestrating a capable response team.
Progent has an assortment of support services for protecting businesses from ransomware events. These include team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence technology from SentinelOne to discover and extinguish new cyber attacks intelligently. Progent in addition offers the services of experienced ransomware recovery consultants with the skills and perseverance to reconstruct a breached network as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that cyber criminals will return the codes to decipher any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the key components of your Information Technology environment. Absent the availability of essential system backups, this requires a wide range of IT skills, professional project management, and the willingness to work 24x7 until the job is complete.
For decades, Progent has provided expert IT services for businesses in Charleston and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience gives Progent the capability to rapidly identify important systems and organize the remaining parts of your network environment following a crypto-ransomware attack and configure them into a functioning system.
Progent's recovery team has powerful project management systems to coordinate the complex recovery process. Progent understands the importance of acting rapidly and in concert with a customer's management and IT staff to prioritize tasks and to get key services back on-line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Attack Recovery
A client hired Progent after their network was brought down by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, possibly adopting techniques exposed from America's National Security Agency. Ryuk goes after specific organizations with limited ability to sustain disruption and is one of the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200,000) and praying for the best, but ultimately called Progent.
"I can't speak enough in regards to the support Progent provided us during the most stressful period of (our) company's survival. We may have had to pay the criminal gangs if not for the confidence the Progent group provided us. The fact that you could get our messaging and important applications back online sooner than one week was something I thought impossible. Every single staff member I worked with or messaged at Progent was urgently focused on getting us working again and was working day and night to bail us out."
Progent worked together with the customer to quickly get our arms around and prioritize the essential areas that had to be recovered in order to resume departmental operations:
To start, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the work of recovering Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's MRP applications used Microsoft SQL Server, which depends on Active Directory services for security authorization to the data.
- Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery on essential servers. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST files (Microsoft Outlook Off-Line Data Files) on team PCs to recover mail data. A recent offline backup of the customer's financials/ERP software made them able to restore these essential services back on-line. Although a lot of work remained to recover completely from the Ryuk event, critical services were restored quickly:
"For the most part, the production operation showed little impact and we made all customer sales."
During the next few weeks important milestones in the recovery process were achieved through tight cooperation between Progent consultants and the client:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were fully recovered.
- A new Palo Alto 850 security appliance was brought on-line.
- Most of the desktops and laptops were fully operational.
"A lot of what was accomplished in the early hours is nearly entirely a haze for me, but our team will not soon forget the care all of you put in to give us our business back. I've trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."
A possible business catastrophe was avoided with top-tier professionals, a wide array of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here could have been identified and prevented with up-to-date security technology and security best practices, team training, and well thought out incident response procedures for backup and applying software patches, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has proven experience in ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get some sleep after we got over the initial fire. Everyone did an incredible job, and if any of your team is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Charleston a range of online monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services incorporate modern AI technology to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based security solutions.
For Charleston 24/7 Ransomware Repair Help, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to manage the entire malware attack progression including blocking, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with government and industry data protection standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also help your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and allow transparent backup and rapid recovery of critical files, apps, images, plus virtual machines. ProSight DPS helps you recover from data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, user error, malicious insiders, or software bugs. Managed services in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver centralized control and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map, track, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points plus servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating appliances that need important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system operating at peak levels by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT staff and your assigned Progent engineering consultant so that any looming problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning technology to guard endpoints as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely get by legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to address the entire threat progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Support Center managed services allow your IT staff to outsource Call Center services to Progent or divide activity for support services seamlessly between your in-house network support group and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth supplement to your corporate IT support staff. User access to the Help Desk, delivery of support, issue escalation, ticket creation and updates, efficiency measurement, and maintenance of the service database are cohesive regardless of whether incidents are taken care of by your core network support staff, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of any size a versatile and affordable alternative for evaluating, validating, scheduling, applying, and tracking updates to your ever-evolving information network. In addition to maximizing the protection and reliability of your computer environment, Progent's patch management services permit your IT team to concentrate on more strategic projects and tasks that derive maximum business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you log into a secured application and give your password you are asked to confirm your identity on a unit that only you have and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this added means of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You may register several validation devices. For details about ProSight Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.