Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyberplague that presents an existential danger for organizations poorly prepared for an attack. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to inflict havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus more unnamed malware, not only do encryption of online data files but also infiltrate all accessible system protection. Information synched to the cloud can also be corrupted. In a vulnerable data protection solution, it can make automatic recovery hopeless and basically sets the datacenter back to zero.
Recovering applications and data after a crypto-ransomware event becomes a sprint against time as the targeted business fights to contain and cleanup the ransomware and to restore enterprise-critical operations. Because crypto-ransomware needs time to replicate, assaults are often sprung during weekends and nights, when attacks typically take longer to detect. This compounds the difficulty of quickly assembling and orchestrating a qualified response team.
Progent has a variety of support services for securing businesses from ransomware penetrations. Among these are team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with machine learning technology from SentinelOne to detect and quarantine day-zero cyber threats quickly. Progent in addition can provide the services of veteran ransomware recovery professionals with the talent and commitment to re-deploy a compromised environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the vital parts of your Information Technology environment. Without access to full data backups, this calls for a wide complement of IT skills, top notch team management, and the ability to work 24x7 until the task is done.
For twenty years, Progent has offered certified expert Information Technology services for companies in San Diego and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise provides Progent the ability to knowledgably ascertain necessary systems and re-organize the remaining pieces of your computer network environment after a ransomware attack and rebuild them into a functioning network.
Progent's recovery team uses powerful project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of acting swiftly and together with a client's management and IT resources to assign priority to tasks and to get essential services back online as soon as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Recovery
A client escalated to Progent after their company was brought down by Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored hackers, possibly using technology leaked from America's National Security Agency. Ryuk seeks specific companies with little or no room for disruption and is one of the most profitable instances of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the intrusion and were encrypted. The client considered paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot tell you enough about the help Progent gave us throughout the most critical period of (our) businesses existence. We most likely would have paid the criminal gangs except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and important servers back into operation in less than seven days was incredible. Every single consultant I talked with or communicated with at Progent was urgently focused on getting us back online and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to quickly determine and prioritize the essential systems that needed to be addressed in order to continue departmental operations:
- Windows Active Directory
- Microsoft Exchange Server
- Financials/MRP
To get going, Progent adhered to ransomware penetration response industry best practices by halting lateral movement and cleaning up infected systems. Progent then started the process of recovering Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the customer's accounting and MRP applications used Microsoft SQL Server, which depends on Windows AD for authentication to the information.
In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then assisted with rebuilding and storage recovery on the most important applications. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Offline Folder Files) on staff PCs and laptops in order to recover mail information. A not too old off-line backup of the customer's accounting/ERP systems made them able to recover these required programs back servicing users. Although a large amount of work still had to be done to recover fully from the Ryuk virus, the most important services were recovered quickly:
"For the most part, the production manufacturing operation showed little impact and we did not miss any customer orders."
During the following couple of weeks important milestones in the recovery project were made through tight cooperation between Progent consultants and the client:
- Internal web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely operational.
- A new Palo Alto 850 firewall was installed.
- Ninety percent of the desktops and laptops were fully operational.
"A lot of what transpired those first few days is nearly entirely a haze for me, but my team will not soon forget the care each and every one of your team put in to give us our business back. I have been working together with Progent for the past ten years, possibly more, and every time Progent has come through and delivered as promised. This time was a life saver."
Conclusion
A potential enterprise-killing catastrophe was avoided due to top-tier experts, a wide spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here should have been identified and prevented with current security systems and recognized best practices, user and IT administrator training, and appropriate incident response procedures for backup and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thank you for letting me get some sleep after we made it past the initial fire. Everyone did an fabulous job, and if any of your guys is around the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in San Diego a variety of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services include modern AI technology to detect zero-day strains of ransomware that can get past traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also help your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and allow non-disruptive backup and fast recovery of important files/folders, applications, system images, and virtual machines. ProSight DPS helps your business avoid data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, user mistakes, malicious employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security companies to provide centralized control and world-class protection for your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of inspection for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, reconfigure and troubleshoot their networking hardware like routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept current, captures and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating devices that require important updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT management personnel and your Progent engineering consultant so that any potential issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can save up to half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to defend endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching AV products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a single platform to automate the entire threat progression including blocking, identification, containment, remediation, and forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Help Center: Help Desk Managed Services
Progent's Support Desk managed services enable your IT staff to offload Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your in-house network support resources and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth extension of your core IT support group. User interaction with the Service Desk, delivery of technical assistance, escalation, ticket generation and updates, efficiency measurement, and maintenance of the service database are cohesive whether issues are resolved by your internal network support group, by Progent's team, or both. Find out more about Progent's outsourced/shared Call Desk services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, applying, and documenting updates to your dynamic IT system. Besides optimizing the security and reliability of your computer network, Progent's patch management services allow your IT staff to focus on more strategic initiatives and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a secured online account and give your password you are requested to confirm who you are on a unit that only you possess and that uses a separate network channel. A wide selection of out-of-band devices can be utilized for this second means of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register several validation devices. For details about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of real-time and in-depth reporting utilities designed to integrate with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For San Diego 24-7 Ransomware Cleanup Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.