Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that presents an existential danger for organizations unprepared for an attack. Versions of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as additional as yet unnamed malware, not only do encryption of online data files but also infiltrate most available system protection mechanisms. Files replicated to the cloud can also be encrypted. In a vulnerable system, this can make automated recovery hopeless and basically sets the datacenter back to square one.
Getting back programs and information following a ransomware event becomes a sprint against the clock as the targeted business tries its best to contain the damage and clear the virus and to resume business-critical activity. Since ransomware needs time to spread, assaults are frequently launched at night, when penetrations typically take more time to recognize. This multiplies the difficulty of rapidly assembling and organizing a qualified response team.
Progent has an assortment of help services for securing enterprises from ransomware penetrations. Among these are user training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence technology from SentinelOne to detect and disable zero-day cyber attacks intelligently. Progent also provides the services of seasoned ransomware recovery consultants with the talent and perseverance to re-deploy a breached system as urgently as possible.
Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the needed codes to decipher any of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the vital parts of your IT environment. Absent the availability of complete information backups, this calls for a broad complement of skills, top notch project management, and the willingness to work non-stop until the recovery project is complete.
For two decades, Progent has offered certified expert IT services for businesses in Columbus and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise gives Progent the skills to efficiently identify critical systems and consolidate the surviving pieces of your network system following a ransomware event and configure them into an operational system.
Progent's recovery team uses state-of-the-art project management applications to coordinate the complicated recovery process. Progent knows the importance of acting quickly and in concert with a client's management and IT team members to prioritize tasks and to get key applications back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Incident Restoration
A client escalated to Progent after their organization was crashed by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored criminal gangs, suspected of using strategies leaked from America's National Security Agency. Ryuk targets specific organizations with little room for disruption and is among the most lucrative incarnations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has around 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and hoping for good luck, but in the end reached out to Progent.
"I cannot tell you enough about the help Progent gave us during the most fearful period of (our) company's survival. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and critical servers back online quicker than one week was beyond my wildest dreams. Each person I got help from or texted at Progent was laser focused on getting our system up and was working day and night on our behalf."
Progent worked together with the client to quickly understand and assign priority to the most important elements that needed to be addressed in order to resume departmental operations:
- Microsoft Active Directory
- Exchange Server
- Accounting/MRP
To get going, Progent adhered to AV/Malware Processes event response industry best practices by isolating and clearing up compromised systems. Progent then started the steps of bringing back online Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the businesses' financials and MRP software utilized SQL Server, which depends on Active Directory for authentication to the databases.
In less than 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of critical systems. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on user PCs in order to recover mail messages. A not too old off-line backup of the customer's accounting/MRP software made them able to restore these required services back online. Although a lot of work was left to recover totally from the Ryuk event, essential systems were returned to operations quickly:
"For the most part, the assembly line operation was never shut down and we delivered all customer shipments."
Over the next few weeks key milestones in the restoration process were made through close collaboration between Progent engineers and the customer:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory functions were 100 percent functional.
- A new Palo Alto 850 security appliance was set up.
- Nearly all of the desktop computers were being used by staff.
"So much of what went on those first few days is nearly entirely a blur for me, but we will not forget the countless hours each and every one of your team accomplished to help get our company back. I have been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This time was a Herculean accomplishment."
Conclusion
A possible enterprise-killing disaster was averted with hard-working professionals, a wide array of subject matter expertise, and tight collaboration. Although in hindsight the ransomware incident detailed here would have been disabled with advanced cyber security systems and ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thank you for allowing me to get some sleep after we got through the most critical parts. All of you did an amazing job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Columbus a portfolio of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services incorporate next-generation machine learning capability to detect new variants of ransomware that can get past traditional signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade legacy signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a single platform to manage the complete threat lifecycle including filtering, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a portfolio of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and enable non-disruptive backup and fast restoration of important files/folders, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or application glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver web-based management and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, track, optimize and debug their networking hardware such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always current, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex management activities, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating appliances that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management personnel and your assigned Progent consultant so that any potential problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard data about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Find out more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior machine learning tools to defend endpoint devices as well as servers and VMs against new malware assaults like ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Help Desk managed services permit your information technology group to offload Call Center services to Progent or split responsibilities for Service Desk support transparently between your in-house support staff and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent supplement to your internal support staff. User interaction with the Service Desk, provision of technical assistance, problem escalation, trouble ticket generation and updates, performance metrics, and management of the service database are consistent regardless of whether incidents are taken care of by your core network support resources, by Progent, or by a combination. Read more about Progent's outsourced/shared Call Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management provide organizations of any size a versatile and affordable solution for assessing, validating, scheduling, implementing, and documenting updates to your ever-evolving IT network. Besides maximizing the security and reliability of your computer network, Progent's software/firmware update management services allow your in-house IT staff to concentrate on line-of-business projects and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification with iOS, Android, and other out-of-band devices. With 2FA, whenever you log into a secured online account and give your password you are asked to verify your identity via a unit that only you possess and that uses a separate network channel. A broad range of devices can be utilized for this second form of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate several verification devices. To find out more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of real-time reporting tools designed to work with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Columbus 24-Hour Ransomware Remediation Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.