Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyberplague that represents an existential threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause havoc. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus more as yet unnamed malware, not only do encryption of online data but also infect all available system backup. Information synchronized to cloud environments can also be ransomed. In a vulnerable data protection solution, this can render automated recovery hopeless and basically sets the datacenter back to zero.
Retrieving programs and information after a ransomware intrusion becomes a sprint against time as the targeted business tries its best to stop lateral movement and remove the virus and to restore business-critical operations. Since ransomware requires time to spread, assaults are often sprung on weekends, when attacks in many cases take more time to notice. This compounds the difficulty of rapidly marshalling and organizing a capable mitigation team.
Progent makes available a variety of support services for protecting businesses from ransomware events. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence technology from SentinelOne to discover and suppress day-zero cyber attacks automatically. Progent in addition can provide the assistance of expert ransomware recovery consultants with the skills and perseverance to reconstruct a compromised environment as soon as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that criminal gangs will return the needed codes to unencrypt all your information. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the vital elements of your Information Technology environment. Without access to complete system backups, this calls for a broad complement of skills, professional project management, and the ability to work non-stop until the recovery project is complete.
For decades, Progent has offered professional Information Technology services for businesses in Cleveland and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience affords Progent the capability to rapidly understand necessary systems and organize the surviving pieces of your Information Technology system following a ransomware penetration and assemble them into a functioning system.
Progent's ransomware group has best of breed project management tools to orchestrate the complex restoration process. Progent understands the importance of acting swiftly and in concert with a customer's management and Information Technology team members to prioritize tasks and to put critical systems back online as fast as possible.
Business Case Study: A Successful Ransomware Attack Response
A customer contacted Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk attacks specific organizations with little or no room for disruption and is among the most profitable versions of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area and has about 500 employees. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and praying for good luck, but ultimately brought in Progent.
"I can't thank you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals if it wasn't for the confidence the Progent group afforded us. That you could get our e-mail and essential servers back into operation faster than five days was beyond my wildest dreams. Each consultant I got help from or texted at Progent was absolutely committed on getting us back on-line and was working breakneck pace to bail us out."
Progent worked hand in hand the customer to quickly identify and assign priority to the mission critical systems that had to be restored to make it possible to restart company operations:
- Microsoft Active Directory
- E-Mail
- Financials/MRP
To begin, Progent followed Anti-virus penetration mitigation industry best practices by halting the spread and removing active viruses. Progent then initiated the steps of recovering Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the businesses' financials and MRP applications leveraged SQL Server, which needs Windows AD for authentication to the information.
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery on needed servers. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Data Files) on various workstations and laptops in order to recover email information. A recent offline backup of the businesses manufacturing systems made it possible to restore these vital services back on-line. Although a lot of work was left to recover totally from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer deliverables."
Throughout the following couple of weeks critical milestones in the recovery process were achieved in close collaboration between Progent team members and the client:
- Self-hosted web applications were restored without losing any information.
- The MailStore Server exceeding 4 million archived emails was restored to operations and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control functions were 100 percent functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Most of the user workstations were back into operation.
"A lot of what was accomplished in the early hours is mostly a fog for me, but I will not soon forget the care each and every one of you accomplished to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered. This time was a stunning achievement."
Conclusion
A likely enterprise-killing catastrophe was evaded through the efforts of top-tier experts, a wide range of knowledge, and tight collaboration. Although in hindsight the ransomware incident described here should have been identified and blocked with advanced cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for making it so I could get some sleep after we got through the most critical parts. Everyone did an incredible effort, and if anyone that helped is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Cleveland a range of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include modern AI capability to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the entire threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your organization's specific needs and that helps you prove compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also help you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup software providers to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and allow non-disruptive backup and fast recovery of vital files, applications, system images, plus VMs. ProSight DPS lets your business protect against data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed backup services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide web-based control and world-class security for all your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, optimize and debug their networking appliances such as routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating time-consuming network management processes, WAN Watch can knock hours off common chores like network mapping, expanding your network, finding devices that require important updates, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management staff and your Progent engineering consultant so that all looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can eliminate up to 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to defend endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to manage the complete threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Desk: Support Desk Managed Services
Progent's Support Desk services permit your information technology team to outsource Help Desk services to Progent or divide activity for Help Desk services transparently between your in-house support staff and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent extension of your corporate support team. Client access to the Service Desk, delivery of support, escalation, ticket generation and updates, performance measurement, and maintenance of the service database are consistent regardless of whether issues are resolved by your corporate support group, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide organizations of any size a flexible and affordable solution for assessing, validating, scheduling, applying, and tracking updates to your dynamic information network. Besides maximizing the protection and functionality of your IT network, Progent's patch management services allow your in-house IT team to focus on more strategic initiatives and tasks that deliver the highest business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a secured application and give your password you are requested to confirm who you are via a device that only you possess and that is accessed using a different network channel. A broad selection of out-of-band devices can be used as this added form of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may register several validation devices. To find out more about ProSight Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth reporting tools created to integrate with the leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Cleveland Ransomware Recovery Support Services, contact Progent at 800-462-8800 or go to Contact Progent.