Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict destruction. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus daily as yet unnamed malware, not only do encryption of on-line files but also infiltrate most accessible system backups. Information synched to the cloud can also be ransomed. In a poorly designed environment, it can render automatic restore operations useless and basically knocks the network back to square one.
Recovering services and data following a crypto-ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop the spread, remove the crypto-ransomware, and restore enterprise-critical operations. Because ransomware takes time to move laterally, attacks are frequently sprung on weekends and holidays, when successful attacks are likely to take longer to uncover. This compounds the difficulty of rapidly assembling and organizing a capable response team.
Progent makes available a variety of support services for protecting enterprises from ransomware penetrations. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with machine learning technology from SentinelOne to discover and extinguish day-zero cyber attacks intelligently. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the talent and perseverance to reconstruct a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decipher any of your data. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom can reach millions. The fallback is to piece back together the essential elements of your IT environment. Without access to full system backups, this calls for a wide complement of skill sets, top notch project management, and the willingness to work non-stop until the recovery project is done.
For two decades, Progent has offered professional IT services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise affords Progent the capability to efficiently ascertain critical systems and re-organize the surviving pieces of your network environment following a crypto-ransomware penetration and assemble them into an operational system.
Progent's recovery group utilizes best of breed project management applications to orchestrate the complicated recovery process. Progent knows the importance of working rapidly and together with a customer's management and IT staff to assign priority to tasks and to put essential systems back on-line as fast as possible.
Client Story: A Successful Crypto-Ransomware Incident Response
A small business contacted Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state sponsored cybercriminals, possibly adopting algorithms exposed from the United States NSA organization. Ryuk targets specific businesses with little ability to sustain disruption and is among the most profitable examples of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago with about 500 staff members. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I can't say enough in regards to the expertise Progent gave us throughout the most stressful time of (our) company's existence. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent experts provided us. That you could get our messaging and key applications back online sooner than a week was something I thought impossible. Every single staff member I spoke to or e-mailed at Progent was totally committed on getting my company operational and was working day and night on our behalf."
Progent worked together with the customer to rapidly identify and assign priority to the key services that needed to be recovered in order to continue business operations:
- Active Directory (AD)
- Electronic Mail
- Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus incident response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the task of rebuilding Microsoft AD, the heart of enterprise systems built upon Microsoft technology. Exchange messaging will not function without AD, and the businesses' accounting and MRP software used Microsoft SQL Server, which depends on Windows AD for access to the information.
Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery of the most important systems. All Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Offline Folder Files) on staff desktop computers in order to recover email messages. A not too old off-line backup of the customer's financials/ERP software made them able to return these essential programs back on-line. Although significant work needed to be completed to recover totally from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the assembly line operation survived unscathed and we delivered all customer orders."
Over the next couple of weeks key milestones in the restoration project were completed in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were restored without losing any information.
- The MailStore Exchange Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory functions were 100% operational.
- A new Palo Alto 850 security appliance was installed.
- Nearly all of the user desktops and notebooks were being used by staff.
"Much of what transpired in the early hours is nearly entirely a blur for me, but my team will not forget the care each and every one of you put in to give us our business back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered as promised. This situation was a testament to your capabilities."
Conclusion
A probable business extinction disaster was avoided due to hard-working experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in post mortem the ransomware virus incident detailed here would have been identified and prevented with modern security technology solutions and recognized best practices, user and IT administrator training, and properly executed security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we made it through the initial push. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Corpus Christi a variety of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services include modern machine learning technology to detect zero-day variants of ransomware that can escape detection by legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and offers a single platform to manage the entire malware attack progression including filtering, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent can also assist your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with leading backup software companies to create ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and allow non-disruptive backup and rapid recovery of vital files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide web-based management and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their networking hardware like routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating complex management processes, WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, finding appliances that require important updates, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network running at peak levels by tracking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your Progent engineering consultant so all potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can save as much as 50% of time wasted looking for critical information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior machine learning tools to defend endpoint devices as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a single platform to manage the complete malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Desk: Call Center Managed Services
Progent's Call Desk managed services allow your IT group to offload Support Desk services to Progent or split activity for Service Desk support seamlessly between your in-house support group and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your internal IT support staff. End user access to the Service Desk, delivery of support, issue escalation, ticket generation and tracking, efficiency measurement, and management of the support database are cohesive whether issues are resolved by your core IT support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Service Center services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective solution for assessing, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides maximizing the protection and reliability of your IT environment, Progent's patch management services allow your in-house IT team to focus on line-of-business initiatives and tasks that deliver the highest business value from your information network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Android, and other personal devices. With Duo 2FA, when you log into a protected application and give your password you are asked to confirm who you are via a device that only you have and that uses a different network channel. A broad range of devices can be utilized for this second means of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can designate several verification devices. For more information about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding suite of real-time and in-depth reporting utilities created to work with the industry's leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Corpus Christi 24-7 Ransomware Remediation Consultants, contact Progent at 800-462-8800 or go to Contact Progent.