Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become an escalating cyberplague that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict havoc. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional as yet unnamed viruses, not only do encryption of on-line critical data but also infect all configured system restores and backups. Files synched to cloud environments can also be held hostage. In a vulnerable data protection solution, it can make automated restoration hopeless and effectively sets the entire system back to zero.
Getting back services and data following a ransomware intrusion becomes a sprint against the clock as the victim fights to stop lateral movement, eradicate the virus, and restore mission-critical operations. Because ransomware needs time to spread, attacks are often sprung at night, when successful penetrations typically take longer to identify. This multiplies the difficulty of promptly marshalling and orchestrating an experienced mitigation team.
Progent makes available a variety of services for securing enterprises from ransomware attacks. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security solutions with AI capabilities from SentinelOne to discover and disable zero-day cyber attacks automatically. Progent also provides the assistance of expert ransomware recovery consultants with the track record and commitment to rebuild a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The other path is to piece back together the essential elements of your IT environment. Without access to essential information backups, this calls for a wide complement of skill sets, professional project management, and the willingness to work 24x7 until the recovery project is finished.
For decades, Progent has offered professional Information Technology services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the capability to rapidly determine necessary systems and integrate the surviving pieces of your IT environment after a crypto-ransomware event and assemble them into an operational network.
Progent's recovery group utilizes state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and in unison with a customer's management and IT team members to prioritize tasks and to put the most important services back on-line as fast as possible.
Case Study: A Successful Ransomware Incident Response
A client engaged Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state sponsored cybercriminals, possibly using strategies exposed from the United States NSA organization. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has around 500 employees. The Ryuk attack had shut down all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the time of the intrusion and were destroyed. The client was evaluating paying the ransom demand (exceeding $200K) and praying for the best, but in the end brought in Progent.
"I cannot tell you enough about the expertise Progent provided us during the most fearful period of (our) company's life. We most likely would have paid the criminal gangs if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and production servers back on-line faster than a week was incredible. Each staff member I got help from or e-mailed at Progent was totally committed on getting our system up and was working 24/7 to bail us out."
Progent worked hand in hand the client to rapidly assess and prioritize the most important areas that needed to be addressed to make it possible to resume company operations:
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
To start, Progent followed ransomware incident response best practices by stopping the spread and clearing up compromised systems. Progent then started the steps of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's accounting and MRP applications leveraged Microsoft SQL, which requires Active Directory services for security authorization to the database.
In less than two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery on essential servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff desktop computers and laptops to recover mail messages. A recent off-line backup of the customer's accounting/ERP software made it possible to recover these required programs back servicing users. Although a large amount of work needed to be completed to recover totally from the Ryuk event, critical systems were recovered quickly:
"For the most part, the manufacturing operation did not miss a beat and we delivered all customer sales."
Over the following few weeks critical milestones in the restoration process were made through tight collaboration between Progent consultants and the client:
- Internal web sites were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than four million archived messages was spun up and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the user desktops were back into operation.
"A huge amount of what was accomplished in the initial days is mostly a fog for me, but I will not soon forget the dedication each of your team put in to give us our company back. I've trusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This event was a stunning achievement."
Conclusion
A possible business extinction disaster was dodged due to dedicated professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus incident detailed here could have been disabled with advanced security solutions and best practices, user training, and appropriate incident response procedures for information backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it over the initial fire. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Florianópolis a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate modern machine learning capability to uncover zero-day variants of crypto-ransomware that are able to get past traditional signature-based security solutions.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so that any looming issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, track, enhance and troubleshoot their networking appliances like switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating devices that require critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time reporting plug-ins designed to integrate with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and allow transparent backup and fast restoration of vital files/folders, apps, images, and VMs. ProSight DPS helps you avoid data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, user error, malicious insiders, or application glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to deliver centralized control and comprehensive security for your email traffic. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, see Email Guard spam and content filtering.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a secured application and enter your password you are asked to confirm who you are via a unit that only you have and that uses a different network channel. A wide range of devices can be utilized as this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. For details about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- Outsourced/Co-managed Call Center: Help Desk Managed Services
Progent's Help Center services enable your IT group to outsource Help Desk services to Progent or divide activity for Service Desk support transparently between your internal network support resources and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent extension of your internal support resources. End user interaction with the Help Desk, provision of support, escalation, trouble ticket generation and tracking, efficiency measurement, and management of the service database are consistent whether incidents are taken care of by your in-house support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Help Center services.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior machine learning technology to defend endpoint devices and servers and VMs against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-based AV tools. Progent ASM services protect local and cloud-based resources and offers a single platform to automate the entire malware attack progression including blocking, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Patch Management: Patch Management Services
Progent's support services for patch management offer businesses of any size a versatile and affordable alternative for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving IT network. In addition to maximizing the protection and reliability of your IT network, Progent's patch management services permit your in-house IT team to focus on more strategic initiatives and activities that deliver maximum business value from your network. Read more about Progent's patch management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to address the complete malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent's consultants can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.
For 24-7 Florianópolis Crypto Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.