Ransomware : Your Crippling Information Technology Disaster
Ransomware has become an escalating cyber pandemic that represents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict damage. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with additional as yet unnamed malware, not only do encryption of online data files but also infiltrate all configured system backups. Information synchronized to cloud environments can also be corrupted. In a vulnerable system, this can make any restore operations impossible and basically sets the network back to square one.
Retrieving services and information following a crypto-ransomware intrusion becomes a race against time as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, attacks are frequently launched during weekends and nights, when attacks are likely to take longer to detect. This compounds the difficulty of quickly marshalling and coordinating a qualified mitigation team.
Progent has an assortment of services for protecting organizations from crypto-ransomware penetrations. These include user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with machine learning capabilities from SentinelOne to identify and quarantine new cyber threats rapidly. Progent also provides the services of expert ransomware recovery consultants with the track record and perseverance to reconstruct a breached environment as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the keys to decipher any of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the key elements of your Information Technology environment. Without the availability of full system backups, this requires a broad complement of skills, well-coordinated project management, and the capability to work 24x7 until the recovery project is complete.
For twenty years, Progent has provided professional IT services for companies in Los Angeles and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise provides Progent the capability to knowledgably understand important systems and consolidate the surviving parts of your computer network environment after a ransomware event and rebuild them into an operational system.
Progent's ransomware group deploys state-of-the-art project management systems to orchestrate the complex recovery process. Progent appreciates the importance of acting rapidly and in concert with a customer's management and IT team members to prioritize tasks and to put critical systems back on line as soon as humanly possible.
Client Story: A Successful Ransomware Attack Recovery
A client sought out Progent after their network was brought down by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, suspected of using algorithms leaked from America's National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain operational disruption and is among the most profitable examples of ransomware malware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with around 500 employees. The Ryuk event had frozen all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but ultimately called Progent.
"I can't thank you enough in regards to the care Progent provided us during the most critical period of (our) businesses survival. We would have paid the hackers behind this attack except for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and key servers back into operation faster than one week was beyond my wildest dreams. Every single consultant I worked with or texted at Progent was hell bent on getting our system up and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly understand and prioritize the most important areas that needed to be addressed to make it possible to resume departmental functions:
To get going, Progent adhered to ransomware penetration response industry best practices by stopping the spread and removing active viruses. Progent then started the steps of recovering Microsoft AD, the heart of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the businesses' accounting and MRP applications leveraged SQL Server, which depends on Windows AD for security authorization to the data.
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery on essential applications. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Offline Folder Files) on various PCs to recover email messages. A not too old offline backup of the businesses accounting/MRP systems made them able to return these required services back online. Although significant work needed to be completed to recover fully from the Ryuk attack, essential systems were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we made all customer shipments."
Over the next few weeks important milestones in the recovery project were completed through close collaboration between Progent consultants and the client:
- In-house web applications were returned to operation without losing any data.
- The MailStore Server containing more than 4 million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the desktops and laptops were fully operational.
"Much of what transpired in the early hours is nearly entirely a blur for me, but our team will not soon forget the dedication each and every one of your team accomplished to give us our business back. I've trusted Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This situation was a testament to your capabilities."
A likely enterprise-killing catastrophe was averted due to top-tier experts, a wide array of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident described here should have been identified and blocked with modern security technology solutions and best practices, user education, and properly executed incident response procedures for information backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), I'm grateful for allowing me to get some sleep after we made it through the initial fire. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Los Angeles a range of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence technology to uncover new strains of ransomware that are able to get past traditional signature-based anti-virus products.
For Los Angeles 24x7 Crypto Repair Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to manage the complete malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you demonstrate compliance with government and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with leading backup software providers to create ProSight Data Protection Services, a portfolio of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your backup processes and allow transparent backup and rapid recovery of important files/folders, apps, images, and VMs. ProSight DPS helps your business protect against data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious insiders, or software bugs. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to deliver centralized control and comprehensive protection for your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept current, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, locating appliances that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by tracking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT personnel and your Progent engineering consultant so all potential problems can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend endpoints as well as servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to automate the entire threat lifecycle including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
Progent's Call Center managed services enable your information technology group to outsource Help Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support staff and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless supplement to your internal support staff. End user access to the Help Desk, provision of support services, escalation, ticket creation and updates, efficiency metrics, and management of the support database are cohesive whether incidents are taken care of by your core support organization, by Progent, or both. Find out more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide organizations of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic IT network. Besides maximizing the protection and functionality of your IT environment, Progent's patch management services allow your IT staff to concentrate on line-of-business projects and tasks that deliver the highest business value from your network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity verification with iOS, Android, and other personal devices. With 2FA, whenever you log into a secured application and give your password you are requested to confirm your identity via a unit that only you possess and that uses a different network channel. A broad selection of out-of-band devices can be utilized for this added form of authentication such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth reporting plug-ins designed to integrate with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.