Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations poorly prepared for an attack. Versions of crypto-ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily as yet unnamed viruses, not only do encryption of on-line critical data but also infect all accessible system restores and backups. Data synchronized to the cloud can also be corrupted. In a poorly architected system, it can render automated restore operations useless and basically knocks the entire system back to zero.
Recovering services and information after a ransomware outage becomes a sprint against the clock as the targeted business tries its best to contain the damage and cleanup the ransomware and to restore mission-critical activity. Because ransomware needs time to spread, attacks are usually launched on weekends and holidays, when successful attacks may take longer to recognize. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified response team.
Progent has an assortment of help services for securing organizations from ransomware penetrations. These include user training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security appliances with machine learning capabilities from SentinelOne to detect and extinguish zero-day threats intelligently. Progent also provides the assistance of veteran ransomware recovery consultants with the skills and perseverance to reconstruct a compromised system as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed keys to decipher any or all of your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the vital elements of your IT environment. Without access to full data backups, this calls for a wide range of skill sets, well-coordinated project management, and the willingness to work continuously until the recovery project is finished.
For two decades, Progent has offered professional IT services for businesses in Allentown and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience provides Progent the ability to rapidly ascertain critical systems and integrate the remaining components of your network environment following a ransomware event and rebuild them into an operational system.
Progent's security team of experts uses state-of-the-art project management applications to coordinate the complex restoration process. Progent appreciates the urgency of working rapidly and together with a client's management and Information Technology team members to assign priority to tasks and to get critical services back on line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A customer sought out Progent after their organization was crashed by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state cybercriminals, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little tolerance for operational disruption and is one of the most lucrative examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has about 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200,000) and praying for the best, but in the end reached out to Progent.
"I cannot thank you enough about the support Progent provided us throughout the most fearful time of (our) businesses life. We may have had to pay the cybercriminals if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and key servers back on-line sooner than seven days was incredible. Every single staff member I got help from or communicated with at Progent was hell bent on getting our system up and was working at all hours on our behalf."
Progent worked together with the customer to quickly understand and assign priority to the mission critical areas that had to be recovered in order to continue departmental operations:
- Windows Active Directory
- Microsoft Exchange Server
- Accounting/MRP
To begin, Progent followed ransomware penetration response industry best practices by halting the spread and removing active viruses. Progent then started the work of recovering Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the client's accounting and MRP applications used SQL Server, which needs Active Directory for access to the databases.
Within two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to locate local OST files (Microsoft Outlook Off-Line Data Files) on team workstations and laptops in order to recover email messages. A not too old off-line backup of the client's manufacturing software made them able to return these required applications back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk damage, core systems were returned to operations rapidly:
"For the most part, the production manufacturing operation showed little impact and we delivered all customer orders."
Throughout the following month key milestones in the restoration process were made in tight collaboration between Progent engineers and the client:
- Internal web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was brought online and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were fully operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Ninety percent of the user desktops and notebooks were back into operation.
"So much of what was accomplished in the initial days is nearly entirely a fog for me, but we will not forget the dedication each of the team put in to give us our business back. I've been working with Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."
Conclusion
A potential business disaster was averted by dedicated experts, a wide array of IT skills, and tight teamwork. Although in post mortem the ransomware virus incident detailed here should have been identified and prevented with advanced security technology and best practices, team training, and appropriate security procedures for information backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), I'm grateful for making it so I could get rested after we got through the initial fire. All of you did an fabulous job, and if any of your team is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Allentown a variety of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a single platform to address the complete malware attack lifecycle including protection, identification, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your company's unique needs and that helps you demonstrate compliance with government and industry information security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and allow non-disruptive backup and rapid recovery of vital files, applications, system images, plus VMs. ProSight DPS lets you recover from data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, human error, malicious employees, or software glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide centralized control and comprehensive security for all your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The cloud filter serves as a first line of defense and blocks most threats from making it to your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further layer of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map, monitor, reconfigure and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex management activities, WAN Watch can knock hours off common tasks like network mapping, expanding your network, locating appliances that require critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network running efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so any potential issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to guard endpoint devices and servers and VMs against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. Progent Active Security Monitoring services protect local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Help Desk managed services enable your information technology team to offload Call Center services to Progent or split activity for Help Desk services seamlessly between your in-house support team and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a transparent extension of your internal support organization. End user interaction with the Help Desk, delivery of support, problem escalation, ticket creation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your core IT support group, by Progent's team, or both. Learn more about Progent's outsourced/shared Service Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide organizations of any size a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. Besides optimizing the security and reliability of your IT network, Progent's software/firmware update management services permit your IT team to concentrate on line-of-business initiatives and activities that deliver maximum business value from your network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Android, and other personal devices. With Duo 2FA, when you log into a secured application and enter your password you are requested to confirm your identity via a device that only you possess and that is accessed using a separate network channel. A wide range of devices can be used as this second means of authentication including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. For more information about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing line of real-time and in-depth management reporting tools designed to work with the industry's top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Allentown 24x7 Ransomware Recovery Services, call Progent at 800-462-8800 or go to Contact Progent.