Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a modern cyberplague that presents an extinction-level threat for organizations unprepared for an assault. Different versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still inflict harm. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with frequent as yet unnamed malware, not only encrypt online files but also infiltrate all accessible system protection. Information synchronized to the cloud can also be encrypted. In a poorly architected environment, it can render automated restore operations hopeless and effectively knocks the entire system back to zero.
Recovering services and data following a ransomware attack becomes a race against time as the victim tries its best to stop the spread and clear the ransomware and to restore enterprise-critical operations. Since ransomware takes time to move laterally, penetrations are often sprung on weekends and holidays, when attacks are likely to take more time to identify. This compounds the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.
Progent makes available an assortment of support services for protecting organizations from crypto-ransomware events. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning capabilities from SentinelOne to discover and disable zero-day threats automatically. Progent in addition can provide the services of experienced ransomware recovery consultants with the track record and commitment to reconstruct a compromised network as rapidly as possible.
Progent's Ransomware Restoration Help
Following a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed codes to decrypt all your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the key components of your IT environment. Absent the availability of full system backups, this calls for a wide range of skill sets, professional team management, and the ability to work continuously until the job is finished.
For twenty years, Progent has provided certified expert IT services for businesses in Corpus Christi and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the ability to knowledgably determine important systems and integrate the surviving components of your computer network system following a ransomware event and assemble them into an operational system.
Progent's recovery group deploys state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology staff to prioritize tasks and to get critical services back on line as fast as possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A small business contacted Progent after their network was brought down by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state criminal gangs, suspected of adopting technology exposed from the United States NSA organization. Ryuk targets specific businesses with little tolerance for disruption and is one of the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago with around 500 workers. The Ryuk intrusion had disabled all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and praying for the best, but in the end engaged Progent.
"I cannot speak enough about the support Progent provided us throughout the most fearful period of (our) businesses existence. We would have paid the cybercriminals except for the confidence the Progent team gave us. The fact that you could get our e-mail and essential servers back on-line quicker than five days was beyond my wildest dreams. Every single consultant I spoke to or messaged at Progent was laser focused on getting us back on-line and was working day and night on our behalf."
Progent worked hand in hand the client to quickly get our arms around and assign priority to the essential systems that needed to be recovered to make it possible to continue departmental functions:
To start, Progent followed ransomware penetration response best practices by halting lateral movement and disinfecting systems. Progent then started the work of recovering Microsoft AD, the heart of enterprise environments built upon Microsoft technology. Exchange email will not work without Active Directory, and the client's MRP system utilized Microsoft SQL Server, which needs Windows AD for access to the database.
- Windows Active Directory
- Microsoft Exchange Server
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then performed rebuilding and hard drive recovery of needed systems. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Folder Files) on staff desktop computers in order to recover email messages. A recent off-line backup of the customer's accounting software made them able to recover these required programs back online. Although major work was left to recover completely from the Ryuk virus, the most important systems were recovered quickly:
"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer deliverables."
During the next month important milestones in the recovery process were completed through tight collaboration between Progent team members and the customer:
- Internal web sites were brought back up with no loss of data.
- The MailStore Exchange Server with over 4 million archived messages was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were fully functional.
- A new Palo Alto 850 firewall was set up and programmed.
- Most of the desktops and laptops were functioning as before the incident.
"So much of what happened those first few days is mostly a fog for me, but we will not soon forget the commitment each and every one of you put in to help get our business back. I have trusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This event was the most impressive ever."
A possible enterprise-killing disaster was avoided by results-oriented experts, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus incident detailed here could have been blocked with advanced security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well designed security procedures for information backup and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we made it through the initial fire. Everyone did an amazing effort, and if any of your team is around the Chicago area, dinner is on me!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Corpus Christi a variety of remote monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services include modern machine learning technology to uncover zero-day variants of crypto-ransomware that can evade legacy signature-based anti-virus solutions.
For 24x7x365 Corpus Christi Ransomware Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to address the complete threat lifecycle including filtering, identification, mitigation, remediation, and forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent action. Progent can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with leading backup software providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and allow transparent backup and fast recovery of critical files, apps, system images, plus VMs. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural calamities, fire, malware such as ransomware, user mistakes, malicious insiders, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to provide centralized management and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, optimize and debug their networking appliances like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating tedious management processes, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating appliances that need important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management personnel and your Progent consultant so that any looming issues can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By updating and managing your IT documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior machine learning tools to defend endpoints and servers and VMs against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a unified platform to manage the complete threat lifecycle including protection, identification, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Center: Call Center Managed Services
Progent's Call Desk services enable your IT staff to offload Support Desk services to Progent or divide activity for Help Desk services seamlessly between your in-house network support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your corporate support organization. Client interaction with the Service Desk, delivery of technical assistance, escalation, trouble ticket generation and updates, performance measurement, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your core IT support resources, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, applying, and tracking updates to your dynamic information system. Besides maximizing the security and reliability of your computer network, Progent's software/firmware update management services allow your IT staff to concentrate on more strategic projects and activities that derive the highest business value from your network. Find out more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation with iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a protected online account and enter your password you are asked to confirm who you are on a device that only you have and that uses a different ("out-of-band") network channel. A wide range of devices can be used for this second form of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple validation devices. To find out more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing line of in-depth reporting tools created to work with the leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.