Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses vulnerable to an assault. Versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause destruction. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with frequent as yet unnamed newcomers, not only do encryption of online critical data but also infect most accessible system protection. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can make any restoration useless and effectively knocks the entire system back to zero.
Getting back online services and information following a ransomware attack becomes a sprint against the clock as the targeted business fights to contain the damage and clear the crypto-ransomware and to resume business-critical operations. Because ransomware requires time to move laterally, assaults are often sprung at night, when attacks in many cases take longer to recognize. This compounds the difficulty of rapidly marshalling and orchestrating a capable response team.
Progent offers a range of solutions for protecting businesses from crypto-ransomware attacks. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security appliances with artificial intelligence capabilities from SentinelOne to discover and disable zero-day cyber attacks quickly. Progent also offers the services of veteran ransomware recovery engineers with the talent and perseverance to restore a breached environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed keys to unencrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the vital elements of your Information Technology environment. Absent the availability of essential system backups, this requires a broad complement of skills, top notch project management, and the capability to work 24x7 until the task is complete.
For decades, Progent has provided professional Information Technology services for companies in Minnetonka and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of experience provides Progent the capability to rapidly ascertain necessary systems and consolidate the surviving components of your network system after a ransomware event and rebuild them into a functioning system.
Progent's security team deploys powerful project management applications to orchestrate the complex restoration process. Progent knows the urgency of working quickly and in concert with a client's management and IT staff to prioritize tasks and to get essential services back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Penetration Response
A small business sought out Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored cybercriminals, possibly adopting algorithms leaked from America's National Security Agency. Ryuk targets specific businesses with little or no tolerance for disruption and is one of the most profitable iterations of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago with about 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately made the decision to use Progent.
"I can't thank you enough about the help Progent provided us throughout the most critical period of (our) company's life. We most likely would have paid the Hackers if not for the confidence the Progent experts gave us. The fact that you could get our messaging and important applications back on-line sooner than 1 week was amazing. Each person I spoke to or communicated with at Progent was hell bent on getting our company operational and was working non-stop on our behalf."
Progent worked hand in hand the client to quickly determine and assign priority to the most important elements that had to be addressed in order to resume departmental functions:
To start, Progent adhered to ransomware incident mitigation industry best practices by isolating and performing virus removal steps. Progent then initiated the steps of recovering Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the businesses' MRP applications utilized Microsoft SQL Server, which depends on Active Directory services for access to the data.
- Active Directory (AD)
- Microsoft Exchange Server
- MRP System
Within two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery of needed applications. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Folder Files) on staff desktop computers and laptops to recover mail messages. A not too old off-line backup of the businesses financials/ERP software made them able to recover these required applications back online. Although a lot of work was left to recover totally from the Ryuk event, essential systems were recovered rapidly:
"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."
Throughout the following month important milestones in the recovery project were completed in close collaboration between Progent engineers and the customer:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- 90% of the desktops and laptops were operational.
"A lot of what transpired in the initial days is mostly a fog for me, but we will not soon forget the care each and every one of you accomplished to help get our company back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was a testament to your capabilities."
A potential business-ending catastrophe was avoided through the efforts of results-oriented experts, a broad range of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware incident detailed here could have been identified and blocked with up-to-date security solutions and security best practices, team training, and properly executed security procedures for information protection and applying software patches, the fact remains that state-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thanks very much for making it so I could get rested after we made it over the initial push. All of you did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Minnetonka a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize modern artificial intelligence capability to detect zero-day strains of ransomware that can get past legacy signature-based anti-virus products.
For 24/7/365 Minnetonka Crypto Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a unified console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable non-disruptive backup and fast recovery of critical files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to deliver centralized control and world-class protection for your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper level of inspection for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, optimize and debug their networking appliances such as routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network maps are always updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious network management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that need critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis tools to guard endpoints as well as servers and VMs against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Call Desk: Call Center Managed Services
Progent's Support Desk services permit your information technology group to outsource Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house network support staff and Progent's extensive roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless extension of your core IT support organization. User access to the Service Desk, provision of technical assistance, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether incidents are taken care of by your in-house IT support resources, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. In addition to maximizing the security and reliability of your IT network, Progent's patch management services permit your IT team to concentrate on line-of-business projects and tasks that deliver maximum business value from your information network. Read more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a protected application and enter your password you are requested to confirm who you are on a unit that only you have and that is accessed using a different network channel. A broad selection of devices can be utilized as this added means of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You may register multiple validation devices. To learn more about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time and in-depth management reporting tools created to integrate with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.