Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a modern cyberplague that represents an existential danger for organizations poorly prepared for an assault. Multiple generations of ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause havoc. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus more unnamed malware, not only encrypt online data but also infect any configured system backup. Files synched to cloud environments can also be ransomed. In a vulnerable data protection solution, it can make automated restore operations hopeless and effectively knocks the datacenter back to square one.
Getting back online applications and information following a ransomware outage becomes a sprint against time as the targeted business struggles to contain and clear the crypto-ransomware and to restore mission-critical activity. Because crypto-ransomware requires time to move laterally, attacks are usually launched on weekends, when attacks in many cases take more time to identify. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.
Progent provides an assortment of services for protecting organizations from ransomware penetrations. Among these are staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security appliances with artificial intelligence technology from SentinelOne to discover and disable new threats quickly. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the skills and perseverance to reconstruct a breached network as urgently as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the keys to unencrypt any of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the key parts of your IT environment. Without the availability of essential data backups, this requires a broad complement of skill sets, professional team management, and the willingness to work non-stop until the recovery project is completed.
For two decades, Progent has offered expert Information Technology services for businesses in Cleveland and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience gives Progent the ability to quickly understand critical systems and consolidate the remaining pieces of your network environment after a ransomware penetration and configure them into a functioning system.
Progent's security team uses state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of working rapidly and together with a customer's management and Information Technology staff to prioritize tasks and to put the most important systems back on-line as soon as humanly possible.
Client Story: A Successful Ransomware Penetration Restoration
A client sought out Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little ability to sustain disruption and is among the most lucrative examples of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business located in the Chicago metro area and has around 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's information backups had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding $200,000) and hoping for good luck, but ultimately made the decision to use Progent.
"I can't thank you enough about the help Progent provided us throughout the most fearful time of (our) businesses survival. We most likely would have paid the Hackers except for the confidence the Progent group afforded us. That you could get our e-mail system and essential servers back in less than one week was beyond my wildest dreams. Every single person I spoke to or e-mailed at Progent was urgently focused on getting us back online and was working 24 by 7 to bail us out."
Progent worked hand in hand the customer to quickly understand and assign priority to the key elements that needed to be restored to make it possible to continue business functions:
To get going, Progent adhered to ransomware incident response best practices by stopping lateral movement and performing virus removal steps. Progent then began the steps of rebuilding Windows Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without Windows AD, and the customer's accounting and MRP applications leveraged Microsoft SQL Server, which requires Active Directory services for authentication to the information.
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then initiated reinstallations and hard drive recovery of essential applications. All Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Folder Files) on team PCs to recover mail messages. A not too old off-line backup of the client's manufacturing systems made it possible to return these vital applications back online. Although a lot of work was left to recover fully from the Ryuk virus, essential systems were recovered quickly:
"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer orders."
During the next few weeks key milestones in the restoration process were completed in tight collaboration between Progent engineers and the customer:
- In-house web applications were brought back up without losing any information.
- The MailStore Exchange Server exceeding four million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were completely functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Most of the user workstations were back into operation.
"Much of what was accomplished those first few days is mostly a haze for me, but our team will not soon forget the commitment each of the team accomplished to give us our company back. I've entrusted Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."
A potential company-ending disaster was averted with top-tier experts, a broad spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware penetration detailed here should have been disabled with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed incident response procedures for information backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for letting me get rested after we made it through the initial push. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Cleveland a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services include modern artificial intelligence capability to uncover new strains of ransomware that are able to evade traditional signature-based anti-virus products.
For Cleveland 24x7 CryptoLocker Recovery Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the complete threat progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services, a family of offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup operations and allow non-disruptive backup and fast restoration of critical files/folders, applications, images, and virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, malicious employees, or software bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to provide web-based control and comprehensive security for your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, enhance and troubleshoot their connectivity hardware such as switches, firewalls, and access points as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and displays the configuration of almost all devices on your network, tracks performance, and generates notices when issues are detected. By automating complex network management processes, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT staff and your Progent consultant so any potential issues can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can save as much as 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to guard endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
Progent's Call Center services permit your IT team to outsource Support Desk services to Progent or split activity for Help Desk services seamlessly between your in-house support resources and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent extension of your internal IT support group. Client access to the Help Desk, provision of support, issue escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether issues are resolved by your core IT support staff, by Progent, or by a combination. Read more about Progent's outsourced/shared Service Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to optimizing the security and reliability of your IT network, Progent's patch management services permit your IT team to concentrate on more strategic initiatives and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using 2FA, when you sign into a secured application and give your password you are asked to verify who you are via a unit that only you possess and that is accessed using a separate network channel. A broad selection of devices can be used for this added form of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register multiple verification devices. For more information about Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of in-depth reporting tools created to work with the industry's leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.