Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses poorly prepared for an assault. Different iterations of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with daily as yet unnamed viruses, not only encrypt online data files but also infect all accessible system backup. Files synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, it can make automatic restoration hopeless and effectively sets the network back to zero.
Getting back online applications and data following a ransomware event becomes a race against time as the targeted organization fights to contain, remove the ransomware, and restore enterprise-critical activity. Since ransomware requires time to replicate, penetrations are frequently launched during weekends and nights, when successful penetrations tend to take longer to notice. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced mitigation team.
Progent makes available a range of services for protecting organizations from ransomware events. These include staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence capabilities from SentinelOne to discover and suppress day-zero threats intelligently. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the track record and commitment to restore a compromised network as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware invasion, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the needed codes to decrypt all your files. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The fallback is to piece back together the essential parts of your IT environment. Without access to complete data backups, this requires a wide range of skills, well-coordinated project management, and the willingness to work non-stop until the job is done.
For decades, Progent has offered expert IT services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably understand critical systems and consolidate the remaining components of your IT environment after a crypto-ransomware penetration and rebuild them into an operational network.
Progent's ransomware team of experts has best of breed project management applications to coordinate the sophisticated recovery process. Progent knows the importance of acting rapidly and together with a client's management and IT resources to prioritize tasks and to put essential systems back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Restoration
A client escalated to Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored cybercriminals, suspected of adopting technology exposed from the United States National Security Agency. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is one of the most profitable versions of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area with about 500 workers. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately called Progent.
"I cannot speak enough about the support Progent provided us during the most fearful period of (our) businesses survival. We would have paid the cybercriminals if not for the confidence the Progent team provided us. The fact that you could get our e-mail and production applications back into operation faster than five days was something I thought impossible. Each expert I talked with or messaged at Progent was hell bent on getting us back on-line and was working day and night on our behalf."
Progent worked together with the client to rapidly understand and prioritize the key applications that needed to be recovered in order to resume departmental operations:
- Active Directory
- Electronic Mail
- Accounting/MRP
To begin, Progent followed Anti-virus event response best practices by halting the spread and removing active viruses. Progent then started the process of restoring Microsoft Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Exchange messaging will not work without AD, and the client's financials and MRP software leveraged SQL Server, which depends on Active Directory for access to the data.
In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery of critical applications. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect intact OST files (Outlook Offline Folder Files) on staff desktop computers and laptops to recover email information. A not too old off-line backup of the client's accounting/MRP software made them able to restore these vital applications back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk event, core services were recovered quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer deliverables."
During the following couple of weeks important milestones in the restoration process were achieved through tight cooperation between Progent team members and the customer:
- In-house web sites were returned to operation without losing any data.
- The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were completely restored.
- A new Palo Alto 850 firewall was installed.
- 90% of the user workstations were fully operational.
"So much of what happened in the early hours is nearly entirely a blur for me, but my management will not forget the dedication all of you accomplished to help get our company back. I've utilized Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered. This time was the most impressive ever."
Conclusion
A likely business-killing catastrophe was dodged due to dedicated experts, a wide array of technical expertise, and tight collaboration. Although in hindsight the ransomware attack described here should have been shut down with up-to-date security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for backup and applying software patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus defense, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), I'm grateful for allowing me to get some sleep after we made it over the first week. Everyone did an impressive effort, and if anyone is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Midtown Manhattan a variety of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation AI capability to uncover zero-day strains of ransomware that can get past legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily evade traditional signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to automate the entire malware attack lifecycle including protection, identification, containment, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you prove compliance with legal and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and track your data backup processes and enable non-disruptive backup and rapid restoration of vital files/folders, apps, system images, plus virtual machines. ProSight DPS helps your business protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to deliver centralized management and comprehensive protection for your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of analysis for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, track, enhance and debug their connectivity hardware like switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration of almost all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding devices that need important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network running at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT personnel and your Progent consultant so all potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior machine learning tools to guard endpoint devices as well as physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including protection, identification, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Desk: Support Desk Managed Services
Progent's Help Center managed services allow your IT group to outsource Call Center services to Progent or split responsibilities for Help Desk services transparently between your internal network support resources and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth extension of your in-house support organization. User interaction with the Service Desk, delivery of support, escalation, ticket creation and tracking, efficiency measurement, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your in-house network support group, by Progent's team, or by a combination. Find out more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving information network. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your IT staff to concentrate on more strategic initiatives and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. With 2FA, whenever you log into a protected application and give your password you are requested to verify who you are via a unit that only you have and that uses a different ("out-of-band") network channel. A wide selection of devices can be utilized for this second means of authentication such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate several verification devices. For details about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time management reporting plug-ins designed to work with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Midtown Manhattan 24/7/365 Crypto Repair Consultants, call Progent at 800-462-8800 or go to Contact Progent.