Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that represents an extinction-level danger for organizations vulnerable to an attack. Different versions of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for years and still cause havoc. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus frequent unnamed malware, not only encrypt online data but also infect most accessible system restores and backups. Information synched to cloud environments can also be encrypted. In a vulnerable system, this can make any recovery useless and effectively sets the datacenter back to zero.
Retrieving programs and data following a crypto-ransomware event becomes a race against time as the targeted organization struggles to contain, clear the virus, and resume mission-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are frequently launched on weekends, when successful attacks tend to take longer to notice. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced response team.
Progent has a range of services for protecting businesses from crypto-ransomware attacks. Among these are team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security appliances with AI capabilities from SentinelOne to discover and disable zero-day cyber attacks rapidly. Progent in addition can provide the services of expert ransomware recovery consultants with the track record and commitment to re-deploy a compromised network as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The fallback is to piece back together the mission-critical parts of your IT environment. Absent access to essential system backups, this requires a wide complement of IT skills, professional team management, and the ability to work continuously until the job is done.
For two decades, Progent has offered expert IT services for companies across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience gives Progent the capability to quickly identify necessary systems and re-organize the remaining parts of your IT system after a ransomware attack and rebuild them into a functioning network.
Progent's security team of experts has top notch project management tools to coordinate the complicated recovery process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get essential services back online as fast as humanly possible.
Customer Story: A Successful Ransomware Penetration Recovery
A business sought out Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored hackers, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk attacks specific organizations with limited ability to sustain disruption and is among the most lucrative incarnations of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area and has around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for good luck, but in the end brought in Progent.
"I can't tell you enough about the help Progent provided us during the most fearful period of (our) businesses survival. We would have paid the cyber criminals if it wasn't for the confidence the Progent group gave us. The fact that you could get our e-mail and critical servers back online in less than seven days was beyond my wildest dreams. Every single consultant I interacted with or texted at Progent was laser focused on getting our system up and was working 24/7 to bail us out."
Progent worked with the customer to rapidly understand and assign priority to the mission critical services that had to be restored in order to continue departmental operations:
- Active Directory (AD)
- Microsoft Exchange
- Accounting and Manufacturing Software
To begin, Progent adhered to ransomware event mitigation best practices by isolating and cleaning systems of viruses. Progent then initiated the work of restoring Microsoft AD, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the customer's financials and MRP applications utilized SQL Server, which depends on Active Directory for access to the database.
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery on key servers. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on staff desktop computers in order to recover email data. A recent offline backup of the client's accounting systems made it possible to restore these vital applications back on-line. Although significant work needed to be completed to recover completely from the Ryuk event, essential services were restored quickly:
"For the most part, the manufacturing operation showed little impact and we made all customer deliverables."
Throughout the next few weeks critical milestones in the restoration project were completed in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the user desktops were operational.
"Much of what happened in the early hours is mostly a blur for me, but we will not forget the care all of you put in to help get our company back. I've trusted Progent for at least 10 years, possibly more, and each time Progent has shined and delivered. This situation was the most impressive ever."
Conclusion
A likely business disaster was evaded through the efforts of dedicated experts, a broad range of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack described here should have been blocked with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get rested after we got past the first week. Everyone did an impressive effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Chattanooga a portfolio of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning capability to detect new variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based AV tools. ProSight ASM protects local and cloud resources and provides a single platform to manage the entire threat lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also assist your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable non-disruptive backup and fast recovery of critical files, apps, images, and VMs. ProSight DPS helps you recover from data loss caused by equipment breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to deliver centralized management and world-class security for your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your exposure to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, monitor, enhance and troubleshoot their connectivity appliances like routers, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating time-consuming management activities, WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, locating appliances that need important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT staff and your Progent engineering consultant so that all looming issues can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to defend endpoints as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which easily escape traditional signature-matching AV products. Progent ASM services protect on-premises and cloud resources and offers a unified platform to manage the entire threat progression including blocking, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Help Center: Help Desk Managed Services
Progent's Help Desk services allow your information technology staff to outsource Help Desk services to Progent or split activity for support services transparently between your internal network support staff and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless extension of your core network support resources. User access to the Help Desk, delivery of support services, escalation, trouble ticket creation and updates, performance measurement, and management of the service database are cohesive regardless of whether issues are resolved by your internal support resources, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide businesses of all sizes a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT system. Besides maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT staff to concentrate on line-of-business projects and tasks that derive the highest business value from your network. Read more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication. Duo enables single-tap identity verification on iOS, Android, and other personal devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are requested to verify who you are on a device that only you possess and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized for this added means of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may register several verification devices. For more information about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of in-depth reporting plug-ins created to work with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Chattanooga 24/7/365 Crypto-Ransomware Recovery Support Services, contact Progent at 800-462-8800 or go to Contact Progent.