Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an existential threat for businesses unprepared for an attack. Versions of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with more unnamed viruses, not only encrypt on-line data but also infiltrate any configured system backup. Data replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can render automated recovery impossible and basically knocks the datacenter back to zero.
Getting back services and data after a ransomware attack becomes a race against time as the targeted business tries its best to stop the spread and clear the virus and to resume business-critical activity. Because ransomware needs time to move laterally, assaults are usually launched during weekends and nights, when penetrations may take more time to identify. This compounds the difficulty of promptly mobilizing and coordinating a qualified mitigation team.
Progent offers a range of solutions for securing organizations from ransomware penetrations. Among these are team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with AI technology from SentinelOne to discover and disable new threats rapidly. Progent in addition offers the services of experienced ransomware recovery engineers with the track record and perseverance to rebuild a breached system as urgently as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, even paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the keys to decrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the mission-critical elements of your IT environment. Without access to complete data backups, this calls for a wide range of IT skills, professional team management, and the willingness to work 24x7 until the recovery project is finished.
For twenty years, Progent has offered certified expert IT services for companies in Oakland and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience provides Progent the capability to quickly identify important systems and organize the surviving pieces of your computer network system after a ransomware penetration and rebuild them into a functioning network.
Progent's ransomware team of experts utilizes best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of acting swiftly and together with a customer's management and Information Technology team members to assign priority to tasks and to put essential services back on-line as fast as possible.
Client Story: A Successful Ransomware Penetration Response
A customer sought out Progent after their organization was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored criminal gangs, suspected of adopting technology exposed from America's NSA organization. Ryuk seeks specific businesses with little ability to sustain disruption and is one of the most profitable versions of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had disabled all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I can't tell you enough in regards to the support Progent gave us during the most critical time of (our) businesses life. We may have had to pay the Hackers if not for the confidence the Progent group afforded us. The fact that you could get our e-mail and essential applications back online faster than five days was beyond my wildest dreams. Every single consultant I talked with or communicated with at Progent was hell bent on getting us back on-line and was working 24/7 to bail us out."
Progent worked hand in hand the client to quickly identify and prioritize the mission critical elements that had to be restored to make it possible to continue company functions:
To start, Progent followed ransomware event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the steps of rebuilding Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Active Directory, and the businesses' financials and MRP software used Microsoft SQL Server, which requires Active Directory for authentication to the information.
- Active Directory (AD)
- Microsoft Exchange
Within 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery on critical applications. All Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Data Files) on various PCs and laptops to recover email information. A recent offline backup of the client's financials/MRP systems made it possible to restore these vital services back on-line. Although a lot of work remained to recover totally from the Ryuk damage, essential systems were returned to operations rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we produced all customer deliverables."
During the following few weeks key milestones in the restoration process were made in tight collaboration between Progent consultants and the client:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
- A new Palo Alto 850 security appliance was installed and configured.
- Nearly all of the user desktops were being used by staff.
"A huge amount of what was accomplished in the initial days is mostly a haze for me, but I will not soon forget the countless hours all of the team put in to help get our business back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This event was a Herculean accomplishment."
A potential business-ending catastrophe was averted with top-tier experts, a broad spectrum of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware incident detailed here would have been prevented with up-to-date security solutions and security best practices, staff education, and properly executed security procedures for information backup and applying software patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus defense, cleanup, and information systems restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for letting me get some sleep after we got over the initial fire. Everyone did an amazing job, and if any of your guys is in the Chicago area, dinner is my treat!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Oakland a variety of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate next-generation machine learning technology to detect new variants of ransomware that can get past legacy signature-based anti-virus products.
For 24-7 Oakland Crypto Repair Help, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you prove compliance with legal and industry data security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate attention. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with advanced backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup processes and enable non-disruptive backup and rapid restoration of vital files, applications, images, plus virtual machines. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural disasters, fire, malware such as ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to deliver web-based management and world-class security for your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of inspection for inbound email. For outgoing email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating time-consuming management activities, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, finding devices that require critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT staff and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior machine learning technology to guard endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Help Center managed services allow your IT staff to offload Call Center services to Progent or split responsibilities for Help Desk services transparently between your internal support team and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent supplement to your in-house IT support organization. User access to the Help Desk, provision of support services, escalation, trouble ticket generation and updates, efficiency measurement, and management of the service database are cohesive regardless of whether incidents are resolved by your in-house IT support resources, by Progent's team, or by a combination. Find out more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of any size a versatile and cost-effective solution for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. In addition to optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services free up time for your in-house IT staff to concentrate on more strategic projects and tasks that deliver maximum business value from your network. Find out more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you log into a protected online account and enter your password you are requested to verify who you are on a device that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be utilized for this second form of authentication including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate several validation devices. For more information about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.