Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that presents an extinction-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict damage. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with frequent unnamed viruses, not only do encryption of online information but also infiltrate all available system backups. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, it can make automatic restoration hopeless and basically knocks the entire system back to zero.
Getting back on-line applications and data after a ransomware outage becomes a race against time as the targeted business fights to contain the damage, cleanup the virus, and restore mission-critical activity. Since ransomware needs time to move laterally, penetrations are usually sprung during weekends and nights, when successful penetrations may take more time to discover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.
Progent makes available an assortment of help services for securing businesses from crypto-ransomware events. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security solutions with machine learning technology from SentinelOne to detect and extinguish zero-day cyber attacks rapidly. Progent in addition offers the services of experienced ransomware recovery consultants with the skills and commitment to reconstruct a breached network as soon as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware invasion, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will return the codes to unencrypt any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The fallback is to re-install the vital components of your IT environment. Without the availability of full information backups, this requires a wide complement of skills, top notch team management, and the capability to work non-stop until the recovery project is complete.
For two decades, Progent has offered certified expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand critical systems and consolidate the remaining pieces of your network environment following a ransomware penetration and rebuild them into an operational network.
Progent's security team of experts uses state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent understands the importance of acting swiftly and together with a client's management and IT team members to prioritize tasks and to put key applications back on-line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Incident Response
A client engaged Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state criminal gangs, suspected of using technology exposed from the United States NSA organization. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most lucrative versions of ransomware viruses. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with about 500 staff members. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately utilized Progent.
"I cannot tell you enough in regards to the care Progent provided us during the most critical time of (our) businesses existence. We would have paid the Hackers except for the confidence the Progent experts gave us. The fact that you could get our e-mail system and critical applications back into operation in less than a week was incredible. Each expert I spoke to or e-mailed at Progent was amazingly focused on getting us working again and was working at all hours on our behalf."
Progent worked together with the customer to quickly determine and prioritize the essential services that had to be restored to make it possible to continue business operations:
- Active Directory (AD)
- Electronic Mail
- Financials/MRP
To begin, Progent followed AV/Malware Processes event response industry best practices by isolating and disinfecting systems. Progent then began the work of rebuilding Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not function without AD, and the client's accounting and MRP software leveraged SQL Server, which needs Active Directory services for security authorization to the data.
Within 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery of needed applications. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on user desktop computers in order to recover mail messages. A recent offline backup of the businesses manufacturing software made it possible to recover these essential programs back online. Although major work still had to be done to recover totally from the Ryuk virus, critical systems were restored quickly:
"For the most part, the production operation did not miss a beat and we delivered all customer sales."
Throughout the following month important milestones in the restoration project were made through tight collaboration between Progent engineers and the customer:
- Internal web applications were brought back up without losing any information.
- The MailStore Exchange Server exceeding four million historical emails was brought online and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory Control capabilities were 100% operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Ninety percent of the user PCs were being used by staff.
"A lot of what was accomplished those first few days is mostly a blur for me, but our team will not soon forget the dedication each of you put in to help get our company back. I have trusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This situation was a life saver."
Conclusion
A potential business-killing disaster was averted through the efforts of results-oriented professionals, a wide spectrum of IT skills, and close teamwork. Although in retrospect the ransomware virus attack detailed here should have been identified and stopped with current cyber security technology solutions and NIST Cybersecurity Framework best practices, user training, and well designed security procedures for backup and applying software patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), I'm grateful for allowing me to get rested after we made it over the first week. Everyone did an incredible effort, and if any of your team is around the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Milwaukee a variety of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services utilize next-generation artificial intelligence capability to detect new variants of ransomware that can escape detection by traditional signature-based security products.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system running efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT personnel and your Progent engineering consultant so all potential problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based platform for managing your client-server infrastructure by offering tools for streamlining common time-consuming jobs. These can include health checking, update management, automated repairs, endpoint setup, backup and restore, A/V protection, remote access, standard and custom scripts, asset inventory, endpoint profile reports, and debugging assistance. If ProSight LAN Watch with NinjaOne RMM identifies a serious issue, it sends an alarm to your designated IT staff and your Progent technical consultant so that emerging problems can be fixed before they interfere with productivity. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, track, reconfigure and debug their networking appliances such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding devices that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time reporting utilities created to work with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as inconsistent support follow-through or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your backup operations and enable non-disruptive backup and fast restoration of vital files/folders, apps, system images, plus virtual machines. ProSight DPS helps your business avoid data loss caused by equipment failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based management and world-class protection for all your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to defend against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected online account and enter your password you are asked to confirm who you are on a device that only you possess and that is accessed using a separate network channel. A wide selection of devices can be used for this added means of authentication such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can register several validation devices. To learn more about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.
- Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
Progent's Support Center managed services allow your information technology staff to offload Support Desk services to Progent or split activity for Service Desk support seamlessly between your internal support team and Progent's extensive roster of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent extension of your core network support staff. Client interaction with the Help Desk, provision of support, issue escalation, trouble ticket creation and tracking, performance measurement, and management of the service database are cohesive regardless of whether incidents are resolved by your core IT support staff, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Call Center services.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior analysis tools to defend endpoint devices as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based AV products. Progent ASM services protect local and cloud-based resources and provides a unified platform to address the entire malware attack progression including protection, detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your dynamic IT network. Besides maximizing the protection and functionality of your IT network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Learn more about Progent's patch management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to manage the complete threat lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry information security standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
For Milwaukee 24x7x365 Ransomware Recovery Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.