Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict havoc. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus more unnamed malware, not only encrypt on-line files but also infiltrate all available system protection. Files replicated to the cloud can also be rendered useless. In a poorly architected system, it can render automatic restore operations useless and basically knocks the network back to square one.
Retrieving programs and data after a ransomware attack becomes a race against the clock as the targeted business fights to stop lateral movement and remove the crypto-ransomware and to restore business-critical activity. Since crypto-ransomware requires time to move laterally, attacks are usually launched on weekends and holidays, when successful attacks in many cases take longer to recognize. This compounds the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.
Progent makes available an assortment of support services for securing businesses from ransomware penetrations. Among these are team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security appliances with AI capabilities from SentinelOne to detect and suppress day-zero cyber attacks automatically. Progent also can provide the services of expert crypto-ransomware recovery consultants with the skills and perseverance to reconstruct a breached environment as rapidly as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the key parts of your Information Technology environment. Absent access to essential system backups, this requires a broad range of skill sets, well-coordinated project management, and the capability to work 24x7 until the recovery project is finished.
For twenty years, Progent has provided professional IT services for businesses in Denver and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to knowledgably ascertain critical systems and consolidate the remaining components of your Information Technology system after a ransomware event and assemble them into an operational network.
Progent's recovery team has best of breed project management tools to orchestrate the sophisticated restoration process. Progent appreciates the urgency of working swiftly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put key systems back on line as soon as humanly possible.
Customer Story: A Successful Ransomware Incident Recovery
A small business escalated to Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk targets specific companies with little tolerance for disruption and is among the most lucrative examples of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area and has around 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for good luck, but ultimately engaged Progent.
"I cannot speak enough about the care Progent gave us throughout the most fearful time of (our) company's survival. We had little choice but to pay the criminal gangs if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and key servers back quicker than five days was earth shattering. Every single expert I talked with or texted at Progent was totally committed on getting us working again and was working day and night on our behalf."
Progent worked together with the client to quickly determine and prioritize the critical applications that had to be recovered to make it possible to restart business functions:
To get going, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and disinfecting systems. Progent then began the process of recovering Windows Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the customer's financials and MRP system utilized SQL Server, which requires Windows AD for access to the databases.
- Windows Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery on mission critical applications. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Offline Folder Files) on team workstations and laptops to recover email information. A recent offline backup of the customer's manufacturing systems made them able to return these vital services back online. Although a lot of work was left to recover completely from the Ryuk damage, core services were restored quickly:
"For the most part, the production manufacturing operation did not miss a beat and we made all customer deliverables."
Over the next couple of weeks key milestones in the restoration project were achieved through close cooperation between Progent team members and the client:
- Internal web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100% restored.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Most of the user desktops were functioning as before the incident.
"Much of what was accomplished in the initial days is mostly a haze for me, but our team will not forget the countless hours all of the team accomplished to help get our business back. I've been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A potential company-ending disaster was avoided by dedicated professionals, a broad range of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware incident described here could have been stopped with advanced security solutions and security best practices, team training, and well thought out security procedures for data protection and applying software patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for making it so I could get rested after we made it through the initial fire. All of you did an incredible effort, and if any of your guys is around the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Denver a variety of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate modern AI technology to detect new strains of ransomware that are able to evade legacy signature-based security products.
For Denver 24/7/365 CryptoLocker Repair Help, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV products. ProSight ASM protects local and cloud-based resources and offers a single platform to automate the complete malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services, a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and enable transparent backup and rapid recovery of important files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from equipment breakdown, natural calamities, fire, malware such as ransomware, human mistakes, malicious insiders, or application glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to provide centralized management and world-class protection for all your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your network firewall. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, optimize and debug their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious network management processes, WAN Watch can knock hours off common chores like network mapping, expanding your network, locating appliances that require critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so that any looming problems can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior-based analysis technology to defend endpoint devices as well as servers and VMs against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. Progent ASM services protect local and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Call Center: Help Desk Managed Services
Progent's Support Center managed services enable your IT group to outsource Help Desk services to Progent or split activity for Help Desk services transparently between your in-house support team and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent supplement to your internal support staff. Client access to the Service Desk, provision of support, escalation, ticket creation and updates, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are resolved by your core IT support organization, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information system. Besides optimizing the security and functionality of your computer environment, Progent's software/firmware update management services free up time for your IT staff to concentrate on more strategic initiatives and tasks that derive maximum business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA services utilize Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Android, and other personal devices. Using 2FA, whenever you log into a protected application and give your password you are requested to confirm who you are on a unit that only you possess and that is accessed using a different network channel. A broad selection of devices can be used for this second form of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You can designate multiple validation devices. To learn more about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time and in-depth reporting plug-ins designed to integrate with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.