Ransomware : Your Feared IT Catastrophe
Ransomware has become a modern cyberplague that poses an extinction-level danger for organizations poorly prepared for an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause havoc. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with additional as yet unnamed malware, not only do encryption of on-line critical data but also infect any configured system protection. Files replicated to off-site disaster recovery sites can also be held hostage. In a poorly designed system, it can render any recovery impossible and effectively sets the datacenter back to square one.
Getting back on-line applications and information after a crypto-ransomware event becomes a sprint against the clock as the victim struggles to contain the damage, clear the ransomware, and restore business-critical activity. Since ransomware requires time to spread, assaults are usually launched during nights and weekends, when successful attacks tend to take longer to detect. This compounds the difficulty of promptly marshalling and organizing a capable response team.
Progent has a variety of solutions for protecting organizations from ransomware penetrations. These include user education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with machine learning capabilities from SentinelOne to discover and quarantine new cyber threats quickly. Progent in addition offers the assistance of veteran ransomware recovery professionals with the talent and perseverance to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will return the keys to unencrypt any or all of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The alternative is to setup from scratch the essential elements of your IT environment. Without access to complete system backups, this calls for a broad range of skill sets, top notch project management, and the willingness to work 24x7 until the recovery project is completed.
For two decades, Progent has offered expert IT services for companies across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the skills to efficiently understand important systems and integrate the remaining parts of your Information Technology system following a ransomware penetration and rebuild them into an operational network.
Progent's recovery team has best of breed project management systems to orchestrate the complex recovery process. Progent appreciates the urgency of working swiftly and together with a client's management and IT resources to prioritize tasks and to put the most important applications back on-line as soon as possible.
Case Study: A Successful Ransomware Virus Restoration
A client sought out Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored hackers, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk targets specific businesses with little or no tolerance for operational disruption and is among the most lucrative incarnations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but ultimately made the decision to use Progent.
"I can't tell you enough in regards to the help Progent provided us throughout the most fearful period of (our) company's life. We had little choice but to pay the cyber criminals if not for the confidence the Progent group gave us. The fact that you were able to get our messaging and essential applications back on-line sooner than 1 week was incredible. Every single expert I got help from or messaged at Progent was hell bent on getting us back online and was working day and night on our behalf."
Progent worked together with the client to rapidly get our arms around and assign priority to the most important systems that had to be addressed in order to continue departmental operations:
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes incident mitigation best practices by isolating and performing virus removal steps. Progent then started the task of bringing back online Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the client's accounting and MRP applications leveraged SQL Server, which requires Active Directory for security authorization to the databases.
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then helped perform rebuilding and storage recovery of key systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Email Off-Line Folder Files) on team desktop computers and laptops to recover mail data. A not too old offline backup of the customer's accounting software made them able to recover these essential applications back available to users. Although significant work still had to be done to recover totally from the Ryuk damage, the most important systems were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer shipments."
Throughout the following couple of weeks important milestones in the recovery process were accomplished through close cooperation between Progent team members and the customer:
- Self-hosted web applications were brought back up without losing any data.
- The MailStore Server containing more than 4 million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were 100% recovered.
- A new Palo Alto 850 security appliance was deployed.
- 90% of the user desktops and notebooks were back into operation.
"A huge amount of what was accomplished that first week is mostly a fog for me, but my management will not forget the commitment each of your team accomplished to give us our company back. I've entrusted Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."
Conclusion
A probable business catastrophe was avoided with top-tier professionals, a wide spectrum of knowledge, and close collaboration. Although in hindsight the crypto-ransomware virus attack detailed here would have been identified and prevented with modern cyber security solutions and recognized best practices, user education, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's team of professionals has extensive experience in ransomware virus defense, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we got through the first week. Everyone did an fabulous job, and if any of your team is visiting the Chicago area, dinner is my treat!"
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in San Diego a variety of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to uncover zero-day strains of crypto-ransomware that are able to evade traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the complete malware attack lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge technologies packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with government and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent's consultants can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with leading backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and enable transparent backup and rapid restoration of important files, applications, system images, plus virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious employees, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to deliver web-based control and comprehensive security for your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of analysis for incoming email. For outgoing email, the local gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, track, enhance and debug their networking hardware like switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are always updated, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, locating appliances that require important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management staff and your Progent consultant so that all looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis technology to defend endpoint devices and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to address the entire malware attack progression including protection, identification, mitigation, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Center: Help Desk Managed Services
Progent's Support Center managed services permit your IT group to offload Help Desk services to Progent or divide responsibilities for support services transparently between your internal support resources and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your corporate IT support team. User access to the Service Desk, delivery of technical assistance, issue escalation, ticket creation and updates, efficiency metrics, and maintenance of the support database are consistent whether issues are taken care of by your corporate IT support resources, by Progent's team, or both. Learn more about Progent's outsourced/shared Service Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management provide organizations of any size a versatile and affordable solution for evaluating, validating, scheduling, applying, and tracking updates to your dynamic IT system. In addition to maximizing the security and reliability of your computer network, Progent's patch management services free up time for your in-house IT team to focus on line-of-business initiatives and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected application and give your password you are asked to confirm your identity on a unit that only you have and that uses a separate network channel. A wide range of out-of-band devices can be utilized as this second means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may register multiple validation devices. For details about ProSight Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time reporting plug-ins designed to work with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For San Diego 24x7x365 Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.