Ransomware : Your Worst IT Disaster
Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for businesses poorly prepared for an assault. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict havoc. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as additional unnamed viruses, not only encrypt on-line data but also infiltrate most configured system protection. Files synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed system, it can render automated recovery impossible and basically knocks the entire system back to zero.
Recovering services and data following a crypto-ransomware event becomes a sprint against time as the targeted business fights to stop the spread, eradicate the ransomware, and resume enterprise-critical operations. Since ransomware requires time to replicate, penetrations are often launched during nights and weekends, when successful penetrations may take more time to recognize. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.
Progent offers an assortment of services for protecting organizations from ransomware attacks. These include staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and quarantine zero-day cyber threats quickly. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the skills and perseverance to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber criminals will return the needed codes to decipher all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The alternative is to re-install the key parts of your Information Technology environment. Absent access to complete information backups, this requires a broad range of IT skills, well-coordinated project management, and the willingness to work non-stop until the task is over.
For decades, Progent has made available certified expert Information Technology services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise gives Progent the ability to knowledgably identify necessary systems and integrate the surviving parts of your Information Technology environment following a ransomware penetration and rebuild them into an operational system.
Progent's security group deploys powerful project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting swiftly and together with a client's management and IT staff to prioritize tasks and to put critical services back on-line as soon as humanly possible.
Client Story: A Successful Ransomware Attack Recovery
A client sought out Progent after their network was brought down by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored criminal gangs, possibly adopting techniques leaked from the United States NSA organization. Ryuk targets specific businesses with limited room for operational disruption and is among the most lucrative instances of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the attack and were damaged. The client was evaluating paying the ransom (more than $200,000) and praying for good luck, but in the end made the decision to use Progent.
"I can't thank you enough about the help Progent provided us during the most fearful time of (our) businesses life. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent group gave us. The fact that you could get our messaging and critical applications back on-line sooner than five days was incredible. Each consultant I talked with or communicated with at Progent was amazingly focused on getting my company operational and was working breakneck pace to bail us out."
Progent worked hand in hand the client to rapidly identify and assign priority to the most important systems that had to be addressed to make it possible to continue company functions:
- Active Directory (AD)
- Electronic Mail
- Accounting and Manufacturing Software
To start, Progent followed Anti-virus event mitigation industry best practices by halting the spread and disinfecting systems. Progent then initiated the process of rebuilding Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the customer's financials and MRP system leveraged SQL Server, which depends on Active Directory services for authentication to the databases.
Within two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery on mission critical systems. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Off-Line Folder Files) on team workstations in order to recover email messages. A recent off-line backup of the customer's accounting/ERP systems made them able to restore these essential applications back available to users. Although significant work remained to recover completely from the Ryuk damage, essential services were returned to operations quickly:
"For the most part, the production operation survived unscathed and we delivered all customer shipments."
During the next month key milestones in the recovery process were accomplished through close collaboration between Progent consultants and the client:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Exchange Server with over 4 million historical emails was brought online and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100% restored.
- A new Palo Alto 850 security appliance was installed.
- Nearly all of the desktops and laptops were back into operation.
"Much of what transpired during the initial response is mostly a blur for me, but my team will not soon forget the dedication each of you put in to give us our business back. I've utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."
Conclusion
A likely company-ending disaster was evaded through the efforts of hard-working experts, a wide range of IT skills, and close collaboration. Although upon completion of forensics the ransomware attack described here would have been identified and prevented with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, user education, and well designed incident response procedures for information backup and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thank you for allowing me to get rested after we got past the initial push. All of you did an incredible effort, and if anyone is visiting the Chicago area, a great meal is on me!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Toledo a variety of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation AI capability to uncover new variants of crypto-ransomware that can escape detection by legacy signature-based security products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management staff and your assigned Progent consultant so any potential issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven platform for managing your network, server, and desktop devices by providing tools for performing common time-consuming jobs. These can include health checking, update management, automated repairs, endpoint deployment, backup and restore, A/V protection, remote access, standard and custom scripts, asset inventory, endpoint status reporting, and debugging help. When ProSight LAN Watch with NinjaOne RMM identifies a serious issue, it transmits an alert to your designated IT management staff and your Progent consultant so that potential issues can be fixed before they impact your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map, monitor, optimize and troubleshoot their networking appliances like switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, locating devices that require important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time management reporting plug-ins designed to work with the industry's top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with leading backup technology companies to produce ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service. ProSight DPS products automate and track your backup operations and allow non-disruptive backup and fast restoration of vital files/folders, applications, images, and virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide centralized control and world-class protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation with iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a secured application and enter your password you are asked to confirm who you are via a device that only you possess and that uses a different network channel. A wide range of devices can be utilized for this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can designate multiple verification devices. To find out more about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication services for access security.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Help Desk services allow your information technology team to offload Support Desk services to Progent or split activity for Help Desk services seamlessly between your in-house support group and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your internal support organization. User interaction with the Service Desk, delivery of support services, problem escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your core support staff, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Center services.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based machine learning technology to defend endpoints as well as servers and VMs against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-based anti-virus products. Progent ASM services protect local and cloud resources and provides a unified platform to manage the entire malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your dynamic information system. Besides maximizing the security and reliability of your computer network, Progent's software/firmware update management services allow your in-house IT staff to focus on line-of-business projects and tasks that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge tools packaged within one agent managed from a single control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent's consultants can also help your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
For 24x7 Toledo Crypto-Ransomware Repair Services, call Progent at 800-462-8800 or go to Contact Progent.