Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses vulnerable to an attack. Versions of ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and continue to inflict harm. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as additional unnamed malware, not only encrypt online data but also infect all available system backups. Data synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, it can make any restore operations hopeless and effectively knocks the entire system back to zero.
Getting back on-line programs and data following a crypto-ransomware outage becomes a race against time as the victim tries its best to contain and clear the ransomware and to resume enterprise-critical operations. Because ransomware takes time to move laterally, penetrations are usually sprung at night, when attacks in many cases take more time to detect. This multiplies the difficulty of quickly marshalling and organizing an experienced mitigation team.
Progent makes available an assortment of services for protecting businesses from ransomware events. Among these are staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with machine learning capabilities from SentinelOne to detect and suppress new threats rapidly. Progent also provides the services of seasoned ransomware recovery professionals with the talent and perseverance to restore a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
After a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed keys to decrypt all your information. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the essential elements of your IT environment. Absent the availability of full system backups, this requires a broad complement of IT skills, professional project management, and the capability to work continuously until the task is over.
For two decades, Progent has offered professional IT services for businesses in Joinville and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise gives Progent the ability to rapidly ascertain critical systems and integrate the surviving parts of your network environment after a ransomware penetration and configure them into a functioning network.
Progent's ransomware group utilizes best of breed project management systems to coordinate the complex recovery process. Progent knows the importance of working quickly and together with a client's management and Information Technology staff to assign priority to tasks and to put essential services back online as soon as humanly possible.
Case Study: A Successful Ransomware Virus Response
A business escalated to Progent after their network was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, suspected of adopting techniques leaked from America's NSA organization. Ryuk goes after specific organizations with limited tolerance for operational disruption and is among the most lucrative instances of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's data backups had been on-line at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
"I cannot say enough in regards to the help Progent gave us throughout the most fearful period of (our) businesses survival. We would have paid the criminal gangs if it wasn't for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and key applications back on-line quicker than a week was incredible. Each expert I spoke to or texted at Progent was totally committed on getting our system up and was working at all hours on our behalf."
Progent worked hand in hand the customer to rapidly identify and assign priority to the key areas that needed to be recovered to make it possible to continue departmental functions:
- Windows Active Directory
- Email
- Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then began the process of bringing back online Microsoft AD, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Active Directory, and the client's financials and MRP software utilized Microsoft SQL Server, which needs Active Directory services for security authorization to the database.
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery on critical servers. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Off-Line Data Files) on team workstations and laptops to recover mail data. A not too old offline backup of the businesses accounting software made it possible to recover these vital applications back online. Although major work needed to be completed to recover fully from the Ryuk event, critical systems were returned to operations quickly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer orders."
Over the following month key milestones in the recovery process were achieved through close cooperation between Progent consultants and the client:
- In-house web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory functions were completely functional.
- A new Palo Alto 850 security appliance was brought online.
- Most of the desktops and laptops were fully operational.
"A lot of what occurred those first few days is mostly a blur for me, but my team will not forget the urgency each of the team put in to give us our company back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was a testament to your capabilities."
Conclusion
A possible business extinction catastrophe was averted with top-tier experts, a wide range of IT skills, and close teamwork. Although upon completion of forensics the ransomware attack described here would have been identified and stopped with modern security solutions and NIST Cybersecurity Framework best practices, team education, and well thought out incident response procedures for data protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we got past the first week. Everyone did an fabulous job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Joinville a variety of remote monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services include modern AI technology to detect zero-day strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based AV products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to address the entire threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you prove compliance with government and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with advanced backup software companies to create ProSight Data Protection Services, a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup processes and allow non-disruptive backup and fast restoration of important files/folders, applications, system images, plus VMs. ProSight DPS helps you recover from data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to deliver centralized control and comprehensive security for all your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating complex management processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require important updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your IT system operating efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT staff and your Progent consultant so that any potential issues can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard endpoints as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. Progent ASM services safeguard local and cloud-based resources and provides a single platform to automate the entire threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Service Center: Call Center Managed Services
Progent's Help Center services permit your information technology team to outsource Call Center services to Progent or split activity for support services transparently between your in-house network support resources and Progent's nationwide roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless extension of your in-house network support team. User access to the Service Desk, delivery of technical assistance, escalation, ticket generation and updates, efficiency metrics, and maintenance of the service database are consistent whether issues are resolved by your in-house network support staff, by Progent, or both. Learn more about Progent's outsourced/co-managed Help Center services.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer organizations of any size a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT system. In addition to maximizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic initiatives and tasks that deliver maximum business value from your network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a protected online account and enter your password you are requested to verify who you are via a device that only you have and that is accessed using a different network channel. A broad range of devices can be used as this second form of ID validation such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You may designate several validation devices. To find out more about Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time and in-depth management reporting tools designed to work with the industry's leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7 Joinville Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.