Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations unprepared for an assault. Multiple generations of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as daily as yet unnamed newcomers, not only do encryption of on-line data but also infiltrate many accessible system protection. Information replicated to the cloud can also be ransomed. In a poorly designed system, it can make automated restoration hopeless and basically sets the entire system back to zero.
Retrieving services and data after a ransomware intrusion becomes a race against time as the targeted organization struggles to stop the spread and cleanup the ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to spread, penetrations are frequently launched on weekends and holidays, when penetrations are likely to take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable response team.
Progent makes available a variety of services for protecting enterprises from crypto-ransomware penetrations. These include team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security solutions with artificial intelligence technology from SentinelOne to discover and quarantine day-zero threats intelligently. Progent also can provide the services of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a breached network as soon as possible.
Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the needed codes to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the critical elements of your IT environment. Without the availability of essential information backups, this requires a broad range of skill sets, well-coordinated project management, and the willingness to work non-stop until the job is done.
For two decades, Progent has offered expert Information Technology services for companies in Barra da Tijuca and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently identify important systems and re-organize the surviving pieces of your Information Technology environment after a crypto-ransomware event and assemble them into an operational system.
Progent's ransomware group utilizes top notch project management systems to coordinate the complex recovery process. Progent understands the importance of acting swiftly and together with a customer's management and Information Technology team members to prioritize tasks and to put key services back on line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Attack Response
A client sought out Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state criminal gangs, suspected of using techniques exposed from the United States National Security Agency. Ryuk goes after specific companies with little ability to sustain operational disruption and is one of the most lucrative versions of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago and has around 500 employees. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200,000) and praying for the best, but in the end reached out to Progent.
"I cannot thank you enough in regards to the expertise Progent gave us during the most critical period of (our) company's survival. We would have paid the cybercriminals except for the confidence the Progent group provided us. The fact that you could get our messaging and important applications back online faster than seven days was beyond my wildest dreams. Every single expert I worked with or communicated with at Progent was hell bent on getting our system up and was working non-stop to bail us out."
Progent worked with the customer to quickly get our arms around and prioritize the critical elements that had to be restored to make it possible to continue company operations:
To start, Progent adhered to AV/Malware Processes event response industry best practices by halting the spread and cleaning up infected systems. Progent then began the task of restoring Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the businesses' MRP applications utilized Microsoft SQL, which requires Active Directory for authentication to the information.
- Microsoft Active Directory
- Exchange Server
Within 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of essential applications. All Exchange data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Off-Line Folder Files) on team desktop computers to recover email data. A not too old offline backup of the client's manufacturing systems made them able to return these vital services back servicing users. Although major work remained to recover fully from the Ryuk damage, critical services were recovered rapidly:
"For the most part, the assembly line operation never missed a beat and we delivered all customer sales."
During the next few weeks key milestones in the recovery process were accomplished through close cooperation between Progent engineers and the customer:
- Internal web sites were restored without losing any data.
- The MailStore Server exceeding four million historical emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were fully functional.
- A new Palo Alto 850 firewall was set up.
- Ninety percent of the desktop computers were back into operation.
"A huge amount of what went on in the early hours is nearly entirely a fog for me, but I will not forget the dedication all of the team put in to give us our business back. I have been working together with Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was a life saver."
A potential business extinction catastrophe was avoided due to results-oriented experts, a broad array of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here could have been blocked with up-to-date cyber security systems and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out incident response procedures for backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for making it so I could get some sleep after we got over the initial push. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Barra da Tijuca a variety of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include next-generation machine learning technology to detect new variants of ransomware that are able to get past traditional signature-based anti-virus products.
For Barra da Tijuca 24-Hour Ransomware Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily escape legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to manage the complete malware attack progression including filtering, detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that allows you demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also help your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your backup processes and enable transparent backup and rapid restoration of critical files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security vendors to deliver centralized management and comprehensive security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, enhance and troubleshoot their networking hardware like switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating complex management processes, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, locating devices that need critical updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so that all looming problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and managing your network documentation, you can save as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior analysis tools to guard endpoint devices and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. Progent ASM services safeguard on-premises and cloud-based resources and provides a single platform to address the complete malware attack progression including blocking, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Help Center: Help Desk Managed Services
Progent's Call Desk managed services permit your information technology group to offload Support Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house support group and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a transparent supplement to your in-house network support organization. Client interaction with the Help Desk, delivery of support, escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the support database are cohesive whether issues are resolved by your internal IT support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Patch Management Services
Progent's support services for patch management offer businesses of all sizes a versatile and affordable alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. In addition to maximizing the security and functionality of your computer environment, Progent's patch management services allow your IT staff to concentrate on line-of-business projects and activities that derive the highest business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a protected online account and enter your password you are asked to verify who you are on a unit that only you have and that uses a separate network channel. A broad range of devices can be utilized for this added means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. For details about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of in-depth reporting tools designed to work with the top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.