Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyberplague that poses an extinction-level threat for organizations vulnerable to an attack. Multiple generations of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus daily as yet unnamed malware, not only do encryption of on-line data files but also infiltrate any available system restores and backups. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed system, this can render automatic recovery impossible and basically knocks the network back to zero.
Getting back applications and information after a ransomware intrusion becomes a race against the clock as the victim tries its best to contain the damage and eradicate the ransomware and to restore mission-critical operations. Since ransomware needs time to spread, attacks are usually launched during nights and weekends, when successful attacks in many cases take more time to detect. This multiplies the difficulty of rapidly marshalling and coordinating an experienced mitigation team.
Progent provides an assortment of help services for protecting enterprises from ransomware events. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with AI technology from SentinelOne to detect and extinguish day-zero threats quickly. Progent also offers the assistance of experienced ransomware recovery engineers with the track record and perseverance to re-deploy a breached environment as urgently as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not ensure that distant criminals will return the codes to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the critical components of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the task is completed.
For twenty years, Progent has made available certified expert IT services for companies in San Diego and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise gives Progent the capability to knowledgably identify necessary systems and integrate the remaining pieces of your computer network system after a ransomware penetration and assemble them into a functioning network.
Progent's recovery team deploys powerful project management systems to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and IT team members to prioritize tasks and to put the most important applications back on line as soon as possible.
Customer Case Study: A Successful Ransomware Attack Response
A small business sought out Progent after their network was brought down by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state hackers, possibly using strategies leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with little room for disruption and is among the most profitable iterations of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with around 500 employees. The Ryuk event had brought down all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and praying for good luck, but ultimately utilized Progent.
"I cannot speak enough about the help Progent gave us during the most stressful time of (our) company's existence. We most likely would have paid the cybercriminals except for the confidence the Progent team gave us. The fact that you could get our messaging and essential servers back on-line quicker than seven days was amazing. Every single expert I worked with or e-mailed at Progent was amazingly focused on getting us back on-line and was working breakneck pace to bail us out."
Progent worked with the client to rapidly get our arms around and assign priority to the mission critical areas that had to be addressed in order to restart company operations:
- Active Directory
- Microsoft Exchange Email
- Accounting/MRP
To begin, Progent followed Anti-virus event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the task of recovering Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the businesses' MRP system used Microsoft SQL, which depends on Active Directory services for security authorization to the databases.
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then completed rebuilding and hard drive recovery on mission critical applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Off-Line Data Files) on user workstations in order to recover mail information. A not too old off-line backup of the businesses financials/ERP software made them able to restore these vital programs back online. Although significant work needed to be completed to recover totally from the Ryuk virus, essential systems were restored quickly:
"For the most part, the manufacturing operation showed little impact and we made all customer orders."
Throughout the next couple of weeks key milestones in the recovery project were accomplished in close cooperation between Progent engineers and the client:
- In-house web applications were brought back up with no loss of information.
- The MailStore Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were fully operational.
- A new Palo Alto 850 firewall was set up and programmed.
- Ninety percent of the user desktops and notebooks were fully operational.
"Much of what transpired in the early hours is mostly a fog for me, but our team will not soon forget the urgency all of the team accomplished to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This event was no exception but maybe more Herculean."
Conclusion
A likely business catastrophe was avoided through the efforts of dedicated professionals, a wide array of technical expertise, and close teamwork. Although in post mortem the ransomware penetration described here would have been blocked with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, user training, and properly executed security procedures for information protection and applying software patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), I'm grateful for allowing me to get some sleep after we made it past the first week. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in San Diego a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate modern machine learning capability to uncover zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to manage the complete malware attack lifecycle including filtering, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also help you to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and enable transparent backup and rapid restoration of vital files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based control and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further level of analysis for inbound email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, track, reconfigure and debug their networking appliances such as routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that require critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate up to 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based analysis technology to defend endpoint devices and servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the complete malware attack progression including protection, infiltration detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Service Center: Help Desk Managed Services
Progent's Help Desk services enable your IT group to offload Support Desk services to Progent or split responsibilities for support services transparently between your in-house network support resources and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your corporate support team. User interaction with the Help Desk, delivery of support services, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the service database are cohesive regardless of whether issues are resolved by your core IT support organization, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Service Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information system. Besides maximizing the security and reliability of your computer environment, Progent's patch management services permit your IT staff to concentrate on more strategic projects and tasks that derive maximum business value from your information network. Learn more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity verification with iOS, Google Android, and other personal devices. With 2FA, when you sign into a secured application and enter your password you are requested to confirm your identity via a device that only you have and that uses a different network channel. A broad range of out-of-band devices can be used for this added means of authentication including a smartphone or watch, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For details about Duo identity authentication services, see Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth reporting tools designed to integrate with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For San Diego 24/7 Crypto-Ransomware Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.