Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyberplague that presents an extinction-level danger for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still cause destruction. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with daily as yet unnamed malware, not only do encryption of online data but also infiltrate most available system protection mechanisms. Files replicated to off-site disaster recovery sites can also be held hostage. In a poorly designed data protection solution, it can make automatic restoration useless and effectively knocks the datacenter back to zero.
Getting back programs and information after a ransomware attack becomes a race against time as the victim tries its best to contain the damage, cleanup the ransomware, and restore enterprise-critical operations. Due to the fact that crypto-ransomware needs time to replicate, penetrations are often sprung at night, when successful attacks in many cases take longer to recognize. This multiplies the difficulty of promptly marshalling and orchestrating an experienced mitigation team.
Progent provides a variety of solutions for securing businesses from ransomware events. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and disable zero-day cyber attacks intelligently. Progent also offers the assistance of veteran ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware event, paying the ransom in cryptocurrency does not guarantee that cyber criminals will provide the keys to unencrypt any of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom demand can reach millions. The fallback is to re-install the key components of your IT environment. Absent access to full information backups, this calls for a broad complement of skills, top notch project management, and the capability to work 24x7 until the recovery project is over.
For decades, Progent has made available expert IT services for companies throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise affords Progent the capability to knowledgably ascertain necessary systems and integrate the surviving pieces of your network environment following a crypto-ransomware attack and configure them into a functioning system.
Progent's ransomware team uses powerful project management applications to orchestrate the complex recovery process. Progent knows the importance of acting rapidly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to put key services back on-line as soon as humanly possible.
Case Study: A Successful Ransomware Penetration Recovery
A small business engaged Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, suspected of adopting strategies leaked from America's NSA organization. Ryuk seeks specific businesses with little ability to sustain disruption and is among the most profitable examples of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago with around 500 workers. The Ryuk event had disabled all business operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.
"I cannot tell you enough in regards to the support Progent gave us throughout the most stressful time of (our) businesses existence. We may have had to pay the Hackers if it wasn't for the confidence the Progent group afforded us. The fact that you could get our e-mail system and important applications back into operation quicker than a week was earth shattering. Every single consultant I got help from or communicated with at Progent was laser focused on getting us working again and was working day and night on our behalf."
Progent worked hand in hand the customer to quickly identify and assign priority to the mission critical services that needed to be restored to make it possible to restart company operations:
- Active Directory
- Microsoft Exchange Email
- Financials/MRP
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the steps of rebuilding Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange email will not function without AD, and the businesses' accounting and MRP system utilized Microsoft SQL, which requires Active Directory for security authorization to the information.
Within two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then performed setup and hard drive recovery on the most important systems. All Exchange data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate local OST files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops to recover email information. A recent offline backup of the customer's manufacturing software made them able to return these required services back online for users. Although significant work remained to recover completely from the Ryuk damage, essential systems were restored quickly:
"For the most part, the production operation did not miss a beat and we did not miss any customer sales."
Throughout the following month key milestones in the restoration project were made through tight cooperation between Progent consultants and the client:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Server with over 4 million archived messages was brought on-line and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100 percent operational.
- A new Palo Alto 850 firewall was installed.
- Ninety percent of the desktop computers were fully operational.
"A huge amount of what happened during the initial response is nearly entirely a haze for me, but our team will not forget the countless hours all of you accomplished to help get our business back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This situation was the most impressive ever."
Conclusion
A likely enterprise-killing disaster was averted by hard-working professionals, a wide array of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware incident detailed here should have been identified and blocked with advanced security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate security procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get some sleep after we got past the initial fire. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Cleveland a variety of online monitoring and security assessment services to assist you to minimize the threat from ransomware. These services utilize modern AI technology to detect new variants of ransomware that are able to evade legacy signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT management personnel and your Progent consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-driven solution for managing your network, server, and desktop devices by offering an environment for streamlining common time-consuming jobs. These include health monitoring, patch management, automated repairs, endpoint configuration, backup and restore, anti-virus defense, remote access, built-in and custom scripts, resource inventory, endpoint profile reports, and debugging assistance. If ProSight LAN Watch with NinjaOne RMM uncovers a serious issue, it sends an alarm to your designated IT management personnel and your Progent technical consultant so potential issues can be taken care of before they impact your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, track, reconfigure and debug their networking hardware like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, locating devices that need critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing line of in-depth management reporting tools designed to work with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with leading backup software providers to create ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and allow transparent backup and rapid restoration of critical files/folders, applications, system images, and VMs. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to deliver web-based control and world-class security for your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation with iOS, Google Android, and other personal devices. With Duo 2FA, when you sign into a protected application and give your password you are asked to verify your identity on a device that only you have and that uses a separate network channel. A broad range of devices can be utilized as this added means of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication (2FA) services.
- Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
Progent's Call Desk services permit your IT team to offload Call Center services to Progent or split responsibilities for Help Desk services seamlessly between your in-house support group and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth extension of your corporate support resources. End user interaction with the Service Desk, provision of support, problem escalation, trouble ticket generation and updates, performance measurement, and management of the service database are cohesive regardless of whether incidents are resolved by your corporate IT support resources, by Progent, or both. Find out more about Progent's outsourced/co-managed Help Desk services.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior analysis tools to defend endpoints and servers and VMs against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based AV products. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to address the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide organizations of any size a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. In addition to optimizing the protection and functionality of your IT network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business initiatives and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the complete threat progression including blocking, detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
For Cleveland 24/7/365 Crypto Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.