Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still cause harm. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus more as yet unnamed viruses, not only do encryption of on-line data files but also infect any available system protection. Data replicated to cloud environments can also be ransomed. In a vulnerable data protection solution, it can render automated restoration impossible and basically sets the datacenter back to square one.
Getting back on-line programs and information after a ransomware attack becomes a sprint against time as the victim struggles to stop the spread and cleanup the virus and to restore enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are often sprung during weekends and nights, when attacks typically take longer to notice. This multiplies the difficulty of promptly mobilizing and organizing a capable response team.
Progent has a range of help services for protecting enterprises from ransomware events. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI technology from SentinelOne to identify and extinguish zero-day cyber attacks automatically. Progent in addition provides the services of expert ransomware recovery professionals with the skills and commitment to restore a compromised system as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed keys to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the vital parts of your Information Technology environment. Without the availability of full information backups, this requires a wide range of IT skills, well-coordinated team management, and the capability to work non-stop until the job is finished.
For twenty years, Progent has offered expert Information Technology services for businesses in Midtown Manhattan and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience affords Progent the ability to rapidly understand necessary systems and re-organize the remaining components of your network system after a ransomware attack and assemble them into an operational system.
Progent's recovery group utilizes best of breed project management applications to coordinate the complex restoration process. Progent appreciates the urgency of working quickly and in concert with a customer's management and Information Technology resources to prioritize tasks and to put key services back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A client engaged Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean government sponsored cybercriminals, possibly using techniques leaked from the U.S. NSA organization. Ryuk seeks specific companies with little or no tolerance for operational disruption and is one of the most lucrative examples of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago and has around 500 employees. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but in the end brought in Progent.
"I cannot say enough about the help Progent gave us throughout the most fearful time of (our) businesses survival. We would have paid the Hackers if not for the confidence the Progent experts afforded us. That you could get our e-mail system and important applications back faster than seven days was something I thought impossible. Every single consultant I talked with or communicated with at Progent was urgently focused on getting us restored and was working 24/7 on our behalf."
Progent worked with the client to rapidly understand and assign priority to the mission critical applications that had to be restored to make it possible to continue business functions:
To start, Progent adhered to Anti-virus incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then began the task of bringing back online Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' MRP applications used SQL Server, which needs Active Directory services for access to the data.
- Windows Active Directory
- Electronic Mail
- MRP System
Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then accomplished setup and hard drive recovery of key systems. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to find intact OST files (Outlook Email Off-Line Folder Files) on various PCs in order to recover mail data. A recent offline backup of the customer's manufacturing systems made it possible to recover these vital services back online. Although a large amount of work still had to be done to recover fully from the Ryuk damage, essential services were restored quickly:
"For the most part, the production line operation did not miss a beat and we made all customer deliverables."
During the next few weeks important milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server with over four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully operational.
- A new Palo Alto Networks 850 firewall was brought online.
- Ninety percent of the user desktops were fully operational.
"So much of what occurred in the initial days is nearly entirely a fog for me, but our team will not forget the urgency each and every one of your team put in to help get our business back. I've utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."
A potential business extinction disaster was dodged with results-oriented experts, a broad array of technical expertise, and close collaboration. Although in post mortem the ransomware incident detailed here would have been identified and prevented with modern security technology and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we got over the most critical parts. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is on me!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Midtown Manhattan a portfolio of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services utilize modern AI technology to uncover zero-day strains of crypto-ransomware that can evade traditional signature-based security products.
For 24/7 Midtown Manhattan CryptoLocker Repair Consultants, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection services offer economical in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your company's specific needs and that allows you demonstrate compliance with legal and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable transparent backup and fast recovery of important files, apps, system images, plus VMs. ProSight DPS helps you recover from data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security companies to provide centralized control and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of inspection for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are kept updated, captures and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that need critical updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT staff and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based analysis tools to guard endpoint devices and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to address the entire threat lifecycle including protection, identification, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Help Desk: Support Desk Managed Services
Progent's Help Desk services allow your IT team to offload Support Desk services to Progent or divide activity for support services transparently between your in-house network support staff and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent supplement to your internal IT support resources. User interaction with the Help Desk, provision of support, problem escalation, ticket creation and updates, performance measurement, and management of the support database are cohesive whether incidents are resolved by your corporate support organization, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Patch Management Services
Progent's support services for patch management provide businesses of any size a versatile and affordable alternative for assessing, validating, scheduling, applying, and documenting updates to your dynamic information system. Besides maximizing the protection and reliability of your computer environment, Progent's patch management services permit your IT team to focus on line-of-business projects and activities that derive the highest business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using 2FA, when you log into a secured application and enter your password you are requested to verify who you are on a unit that only you have and that is accessed using a different network channel. A wide range of devices can be used for this second means of ID validation such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may designate several verification devices. For details about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing line of in-depth management reporting plug-ins designed to integrate with the top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.