Crypto-Ransomware : Your Feared IT Disaster
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict destruction. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as daily unnamed viruses, not only encrypt online data files but also infect most configured system backup. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make any restoration hopeless and effectively knocks the network back to square one.
Getting back on-line programs and information following a crypto-ransomware intrusion becomes a sprint against time as the victim tries its best to stop the spread and remove the ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware requires time to replicate, penetrations are often launched during nights and weekends, when successful attacks tend to take more time to discover. This multiplies the difficulty of promptly mobilizing and coordinating a qualified response team.
Progent makes available an assortment of support services for protecting businesses from crypto-ransomware attacks. Among these are team member training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security solutions with machine learning technology from SentinelOne to discover and suppress new cyber threats automatically. Progent in addition provides the assistance of experienced ransomware recovery professionals with the track record and commitment to rebuild a compromised system as quickly as possible.
Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the needed codes to unencrypt any or all of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the essential elements of your Information Technology environment. Without access to full data backups, this calls for a broad range of skills, top notch project management, and the capability to work continuously until the job is over.
For decades, Progent has made available professional IT services for companies in Florianópolis and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise affords Progent the ability to rapidly determine critical systems and re-organize the remaining pieces of your Information Technology system after a crypto-ransomware penetration and assemble them into a functioning network.
Progent's recovery team of experts utilizes state-of-the-art project management applications to coordinate the complicated restoration process. Progent appreciates the importance of working swiftly and in concert with a client's management and IT team members to prioritize tasks and to get critical systems back on line as soon as possible.
Client Story: A Successful Crypto-Ransomware Virus Response
A client engaged Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean government sponsored criminal gangs, suspected of using techniques leaked from America's NSA organization. Ryuk seeks specific organizations with little or no room for operational disruption and is one of the most lucrative versions of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and wishfully thinking for the best, but in the end reached out to Progent.
"I can't speak enough in regards to the help Progent provided us during the most critical period of (our) businesses survival. We would have paid the hackers behind this attack except for the confidence the Progent experts afforded us. That you were able to get our messaging and important applications back sooner than seven days was incredible. Each expert I got help from or texted at Progent was absolutely committed on getting our system up and was working all day and night on our behalf."
Progent worked with the customer to rapidly assess and assign priority to the mission critical applications that needed to be addressed in order to restart departmental functions:
To get going, Progent followed ransomware incident mitigation best practices by isolating and clearing infected systems. Progent then initiated the task of recovering Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not work without Windows AD, and the client's MRP applications leveraged Microsoft SQL Server, which needs Active Directory services for security authorization to the information.
- Active Directory
- Microsoft Exchange Email
Within 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then completed setup and storage recovery of key systems. All Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Email Off-Line Folder Files) on staff workstations to recover mail messages. A not too old off-line backup of the client's financials/ERP software made it possible to return these vital programs back servicing users. Although significant work still had to be done to recover totally from the Ryuk virus, essential services were returned to operations quickly:
"For the most part, the production operation never missed a beat and we made all customer sales."
Throughout the following few weeks important milestones in the restoration process were completed through tight collaboration between Progent engineers and the customer:
- In-house web applications were restored with no loss of information.
- The MailStore Server with over four million historical messages was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely recovered.
- A new Palo Alto 850 security appliance was deployed.
- Ninety percent of the user PCs were being used by staff.
"Much of what went on in the initial days is nearly entirely a fog for me, but my management will not forget the care all of the team put in to give us our company back. I have entrusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This event was a testament to your capabilities."
A possible business catastrophe was avoided through the efforts of dedicated experts, a wide spectrum of knowledge, and close collaboration. Although in post mortem the ransomware virus penetration described here could have been identified and stopped with modern security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and appropriate security procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thanks very much for allowing me to get some sleep after we got over the most critical parts. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Florianópolis a portfolio of online monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern AI capability to uncover zero-day variants of ransomware that are able to get past legacy signature-based anti-virus solutions.
For Florianópolis 24x7 Crypto-Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to manage the complete threat lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that allows you prove compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup processes and allow transparent backup and rapid recovery of vital files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user error, ill-intentioned employees, or application glitches. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to provide web-based control and world-class security for your email traffic. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, track, optimize and troubleshoot their networking hardware such as routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex network management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that need critical software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management staff and your Progent consultant so all potential problems can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based analysis tools to defend endpoint devices and physical and virtual servers against modern malware attacks like ransomware and email phishing, which routinely escape traditional signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including filtering, identification, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Call Desk: Call Center Managed Services
Progent's Call Desk services permit your information technology group to outsource Call Center services to Progent or divide responsibilities for Service Desk support transparently between your in-house support resources and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your core IT support staff. User interaction with the Help Desk, provision of support services, problem escalation, ticket creation and tracking, efficiency metrics, and maintenance of the service database are cohesive regardless of whether incidents are taken care of by your core support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Help Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer businesses of any size a versatile and affordable alternative for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic IT system. In addition to maximizing the protection and functionality of your IT environment, Progent's patch management services permit your IT staff to concentrate on more strategic projects and tasks that derive the highest business value from your network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and give your password you are asked to verify your identity via a device that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized as this second form of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may designate several validation devices. For details about Duo two-factor identity validation services, visit Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of real-time and in-depth reporting tools created to integrate with the industry's leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.