Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with daily unnamed viruses, not only do encryption of on-line files but also infiltrate all available system protection mechanisms. Information synched to cloud environments can also be ransomed. In a poorly designed environment, it can render automated restore operations useless and basically knocks the datacenter back to square one.
Recovering programs and data after a crypto-ransomware outage becomes a sprint against time as the targeted business tries its best to contain the damage and cleanup the ransomware and to resume mission-critical activity. Since ransomware takes time to move laterally, attacks are often launched during nights and weekends, when successful penetrations in many cases take longer to uncover. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable response team.
Progent has an assortment of help services for protecting enterprises from ransomware attacks. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security appliances with artificial intelligence technology from SentinelOne to detect and suppress zero-day cyber attacks automatically. Progent also provides the assistance of seasoned ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the critical components of your IT environment. Without the availability of essential information backups, this requires a broad complement of skill sets, professional team management, and the willingness to work non-stop until the job is done.
For twenty years, Progent has made available certified expert Information Technology services for companies in Los Angeles and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of experience provides Progent the skills to quickly understand critical systems and consolidate the surviving components of your computer network environment following a ransomware attack and rebuild them into an operational system.
Progent's ransomware group has best of breed project management tools to coordinate the complex restoration process. Progent appreciates the importance of acting rapidly and together with a customer's management and IT team members to assign priority to tasks and to put the most important applications back online as soon as humanly possible.
Customer Story: A Successful Ransomware Penetration Response
A client hired Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state sponsored hackers, possibly using technology leaked from the United States National Security Agency. Ryuk goes after specific companies with little or no ability to sustain operational disruption and is among the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago with around 500 workers. The Ryuk attack had shut down all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and praying for good luck, but ultimately called Progent.
"I can't thank you enough about the care Progent gave us during the most critical time of (our) businesses survival. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent group gave us. The fact that you could get our e-mail system and critical applications back into operation in less than 1 week was earth shattering. Every single staff member I got help from or communicated with at Progent was urgently focused on getting us back on-line and was working at all hours on our behalf."
Progent worked hand in hand the client to rapidly determine and prioritize the essential applications that had to be addressed in order to continue business functions:
To begin, Progent followed ransomware penetration response best practices by halting lateral movement and performing virus removal steps. Progent then started the process of rebuilding Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the client's MRP system used SQL Server, which needs Active Directory for access to the data.
- Active Directory (AD)
- Electronic Messaging
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery of key servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops in order to recover mail messages. A recent off-line backup of the client's financials/ERP systems made it possible to recover these essential applications back online. Although significant work remained to recover totally from the Ryuk attack, the most important services were recovered quickly:
"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer sales."
Over the next month critical milestones in the recovery process were achieved through tight cooperation between Progent team members and the customer:
- Internal web sites were brought back up with no loss of information.
- The MailStore Exchange Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory modules were fully operational.
- A new Palo Alto Networks 850 firewall was brought online.
- Ninety percent of the desktops and laptops were fully operational.
"A huge amount of what transpired in the early hours is nearly entirely a blur for me, but my management will not forget the commitment all of you accomplished to give us our business back. I've been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This time was a life saver."
A probable business-ending disaster was dodged due to results-oriented professionals, a wide array of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here could have been identified and stopped with modern cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and properly executed incident response procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for letting me get rested after we got past the most critical parts. Everyone did an amazing effort, and if anyone is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Los Angeles a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize modern AI technology to detect new strains of ransomware that are able to get past traditional signature-based security solutions.
For Los Angeles 24/7 Crypto-Ransomware Removal Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to manage the entire malware attack progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has worked with advanced backup software providers to produce ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your backup operations and allow non-disruptive backup and rapid recovery of vital files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by equipment failures, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to deliver centralized control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, monitor, enhance and debug their networking appliances such as switches, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating devices that need important software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT personnel and your Progent engineering consultant so that all potential issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect information related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By updating and managing your IT documentation, you can save as much as half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to guard endpoints as well as servers and VMs against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching AV tools. Progent ASM services safeguard on-premises and cloud resources and offers a unified platform to manage the entire malware attack progression including filtering, identification, containment, cleanup, and forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Call Center: Help Desk Managed Services
Progent's Help Desk services enable your IT staff to outsource Call Center services to Progent or split responsibilities for support services transparently between your internal support team and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your internal support organization. End user access to the Help Desk, delivery of support, issue escalation, trouble ticket creation and tracking, efficiency measurement, and management of the service database are consistent whether issues are taken care of by your core support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer businesses of all sizes a flexible and affordable alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT staff to focus on line-of-business initiatives and tasks that derive maximum business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a protected online account and give your password you are requested to confirm who you are on a unit that only you possess and that uses a separate network channel. A broad range of out-of-band devices can be utilized for this added form of authentication such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For more information about Duo identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.