Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Different versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause damage. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as frequent as yet unnamed newcomers, not only do encryption of online data but also infect all configured system restores and backups. Data synched to off-site disaster recovery sites can also be encrypted. In a vulnerable system, this can make automated recovery hopeless and basically sets the network back to square one.
Getting back online programs and data following a ransomware outage becomes a race against time as the victim struggles to contain and eradicate the ransomware and to resume mission-critical operations. Due to the fact that crypto-ransomware requires time to replicate, attacks are usually launched at night, when successful attacks typically take longer to detect. This multiplies the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent makes available an assortment of solutions for securing businesses from ransomware penetrations. Among these are staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with artificial intelligence technology from SentinelOne to discover and suppress day-zero threats rapidly. Progent also can provide the services of veteran ransomware recovery engineers with the skills and commitment to reconstruct a breached environment as urgently as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to unencrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the essential components of your Information Technology environment. Absent the availability of complete system backups, this requires a wide complement of skills, professional team management, and the willingness to work 24x7 until the job is done.
For two decades, Progent has made available expert IT services for businesses in Lubbock and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience gives Progent the ability to rapidly ascertain important systems and organize the remaining parts of your network environment following a ransomware attack and configure them into a functioning system.
Progent's ransomware team has best of breed project management tools to coordinate the sophisticated recovery process. Progent understands the urgency of working quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to get key systems back online as soon as possible.
Customer Story: A Successful Ransomware Intrusion Recovery
A small business sought out Progent after their network system was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting approaches exposed from America's National Security Agency. Ryuk attacks specific organizations with little or no room for operational disruption and is among the most lucrative examples of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago with about 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and hoping for good luck, but in the end utilized Progent.
"I cannot tell you enough about the care Progent gave us throughout the most critical period of (our) company's survival. We most likely would have paid the cybercriminals if not for the confidence the Progent team afforded us. That you could get our e-mail and critical applications back on-line faster than one week was earth shattering. Every single person I interacted with or e-mailed at Progent was amazingly focused on getting us operational and was working non-stop on our behalf."
Progent worked hand in hand the customer to rapidly determine and prioritize the key elements that needed to be recovered in order to restart business operations:
To start, Progent followed ransomware incident response best practices by halting lateral movement and clearing infected systems. Progent then began the work of restoring Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not work without Active Directory, and the businesses' financials and MRP software used Microsoft SQL Server, which depends on Active Directory for security authorization to the databases.
- Active Directory (AD)
- Microsoft Exchange
Within 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then performed reinstallations and storage recovery of needed systems. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Data Files) on team PCs in order to recover email information. A recent off-line backup of the customer's financials/MRP software made them able to return these required services back available to users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core systems were recovered rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we produced all customer sales."
During the next few weeks key milestones in the restoration process were completed through tight cooperation between Progent consultants and the customer:
- Internal web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely operational.
- A new Palo Alto Networks 850 firewall was brought online.
- Ninety percent of the user PCs were operational.
"A lot of what was accomplished in the initial days is mostly a blur for me, but our team will not soon forget the care each of the team accomplished to help get our business back. I've been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This time was a life saver."
A possible company-ending catastrophe was averted with hard-working professionals, a wide range of knowledge, and close collaboration. Although in hindsight the ransomware incident described here should have been shut down with current security systems and recognized best practices, user and IT administrator education, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we got over the initial push. All of you did an fabulous job, and if any of your team is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Lubbock a range of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence technology to detect zero-day strains of ransomware that are able to evade traditional signature-based security products.
For 24-7 Lubbock Crypto Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to address the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services deliver affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with legal and industry data security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has worked with advanced backup software providers to create ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and enable non-disruptive backup and rapid recovery of vital files, applications, images, plus VMs. ProSight DPS helps you protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or software glitches. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to deliver centralized control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, track, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming management processes, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating appliances that need critical software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by tracking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management staff and your Progent engineering consultant so that all potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can eliminate as much as 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning technology to guard endpoint devices and servers and VMs against new malware attacks like ransomware and email phishing, which easily get by legacy signature-based anti-virus products. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to manage the entire threat progression including blocking, detection, containment, remediation, and forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Call Center: Call Center Managed Services
Progent's Call Center managed services enable your information technology team to offload Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal support group and Progent's extensive roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless extension of your corporate support organization. User access to the Service Desk, provision of support, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the service database are consistent whether issues are resolved by your internal support group, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Help Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of all sizes a versatile and affordable solution for evaluating, validating, scheduling, applying, and tracking updates to your ever-evolving information system. In addition to optimizing the security and functionality of your IT environment, Progent's patch management services permit your IT staff to concentrate on line-of-business projects and tasks that derive the highest business value from your network. Find out more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity verification with Apple iOS, Android, and other personal devices. With Duo 2FA, when you sign into a secured application and give your password you are asked to verify your identity via a device that only you have and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. To find out more about ProSight Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding suite of real-time and in-depth reporting plug-ins created to integrate with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.