Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus additional as yet unnamed malware, not only do encryption of on-line information but also infect many available system backup. Information synched to cloud environments can also be corrupted. In a vulnerable environment, it can render automatic restore operations hopeless and basically sets the datacenter back to zero.
Restoring applications and data following a ransomware intrusion becomes a race against time as the victim tries its best to contain and cleanup the crypto-ransomware and to resume enterprise-critical operations. Since ransomware requires time to move laterally, attacks are frequently launched at night, when penetrations are likely to take longer to uncover. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable mitigation team.
Progent makes available an assortment of help services for protecting enterprises from ransomware attacks. Among these are team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with machine learning capabilities from SentinelOne to discover and disable day-zero cyber attacks intelligently. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the talent and perseverance to reconstruct a compromised environment as rapidly as possible.
Progent's Ransomware Restoration Help
After a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the needed codes to unencrypt any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the critical components of your IT environment. Absent the availability of essential information backups, this calls for a broad range of IT skills, professional team management, and the ability to work non-stop until the task is complete.
For two decades, Progent has made available certified expert IT services for companies in Cleveland and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience provides Progent the ability to rapidly ascertain critical systems and consolidate the surviving pieces of your IT system following a ransomware attack and configure them into a functioning network.
Progent's security team of experts uses top notch project management systems to orchestrate the complicated recovery process. Progent knows the importance of acting quickly and in unison with a client's management and IT resources to prioritize tasks and to put critical systems back online as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Virus Restoration
A business sought out Progent after their company was crashed by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state criminal gangs, possibly adopting technology leaked from the United States National Security Agency. Ryuk attacks specific organizations with little or no room for disruption and is among the most lucrative examples of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with around 500 employees. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and hoping for good luck, but ultimately reached out to Progent.
"I cannot thank you enough about the expertise Progent gave us during the most critical time of (our) businesses existence. We would have paid the criminal gangs if it wasn't for the confidence the Progent group provided us. The fact that you were able to get our messaging and key applications back online sooner than 1 week was amazing. Each consultant I interacted with or e-mailed at Progent was hell bent on getting our system up and was working all day and night to bail us out."
Progent worked with the customer to rapidly understand and prioritize the mission critical areas that needed to be recovered in order to resume departmental functions:
- Active Directory
- E-Mail
- Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes incident response industry best practices by stopping the spread and clearing up compromised systems. Progent then initiated the process of recovering Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the customer's financials and MRP system used Microsoft SQL Server, which depends on Active Directory for authentication to the database.
Within two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on essential applications. All Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to find intact OST data files (Outlook Email Off-Line Data Files) on staff desktop computers and laptops to recover mail information. A not too old offline backup of the client's manufacturing software made them able to restore these required applications back on-line. Although significant work needed to be completed to recover completely from the Ryuk attack, core services were returned to operations rapidly:
"For the most part, the production operation survived unscathed and we produced all customer deliverables."
Over the following few weeks important milestones in the restoration process were achieved through close cooperation between Progent consultants and the customer:
- Internal web sites were brought back up with no loss of information.
- The MailStore Server containing more than four million archived messages was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were fully recovered.
- A new Palo Alto 850 firewall was brought online.
- Ninety percent of the user desktops were back into operation.
"A huge amount of what transpired that first week is nearly entirely a haze for me, but my management will not soon forget the care each of the team accomplished to give us our business back. I have entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a stunning achievement."
Conclusion
A probable company-ending disaster was avoided due to dedicated professionals, a broad range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware attack described here could have been prevented with modern cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for allowing me to get rested after we made it over the initial push. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Cleveland a variety of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate modern machine learning capability to uncover new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the complete malware attack progression including protection, detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services offer economical in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services (DPS), a family of offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and allow transparent backup and rapid restoration of vital files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to deliver web-based management and world-class security for your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, track, optimize and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating tedious management activities, WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating appliances that need important updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so any potential problems can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based machine learning technology to defend endpoint devices and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching AV products. Progent ASM services protect local and cloud-based resources and offers a single platform to automate the complete malware attack progression including protection, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Call Desk managed services allow your information technology staff to offload Call Center services to Progent or divide responsibilities for Help Desk services transparently between your internal network support team and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth supplement to your core network support group. User interaction with the Help Desk, provision of support services, issue escalation, ticket generation and tracking, efficiency measurement, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your core network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide businesses of all sizes a versatile and affordable alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. Besides maximizing the security and reliability of your IT network, Progent's software/firmware update management services allow your IT team to focus on more strategic projects and activities that derive maximum business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you sign into a secured online account and enter your password you are asked to confirm your identity via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used for this added form of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several validation devices. To find out more about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding suite of real-time management reporting plug-ins created to work with the top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Cleveland 24/7 CryptoLocker Cleanup Experts, contact Progent at 800-462-8800 or go to Contact Progent.