Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses unprepared for an attack. Different versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily unnamed viruses, not only encrypt on-line files but also infiltrate many configured system backups. Data replicated to the cloud can also be rendered useless. In a vulnerable data protection solution, it can render any restore operations hopeless and basically sets the datacenter back to square one.
Retrieving programs and information after a ransomware intrusion becomes a sprint against the clock as the targeted business fights to contain the damage and eradicate the ransomware and to resume enterprise-critical operations. Since ransomware needs time to move laterally, penetrations are usually launched during nights and weekends, when successful attacks may take longer to identify. This compounds the difficulty of rapidly mobilizing and organizing an experienced mitigation team.
Progent offers a variety of services for securing organizations from crypto-ransomware penetrations. Among these are team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with AI technology from SentinelOne to detect and quarantine day-zero cyber attacks automatically. Progent in addition offers the assistance of expert ransomware recovery consultants with the track record and commitment to restore a compromised network as urgently as possible.
Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt any of your files. Kaspersky determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the critical elements of your Information Technology environment. Without access to full data backups, this requires a wide complement of skill sets, professional team management, and the ability to work 24x7 until the task is finished.
For decades, Progent has made available expert IT services for companies in Joinville and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded top certifications in important technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience provides Progent the capability to efficiently identify critical systems and consolidate the surviving components of your IT environment following a ransomware event and rebuild them into a functioning network.
Progent's security group uses top notch project management tools to orchestrate the complex restoration process. Progent knows the importance of working quickly and together with a customer's management and IT team members to assign priority to tasks and to put essential systems back online as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A customer sought out Progent after their network was brought down by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, possibly using techniques leaked from the United States NSA organization. Ryuk targets specific organizations with little or no room for operational disruption and is among the most profitable iterations of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I can't speak enough about the help Progent provided us throughout the most fearful time of (our) company's survival. We most likely would have paid the Hackers if it wasn't for the confidence the Progent group gave us. That you were able to get our messaging and production servers back into operation sooner than a week was incredible. Every single staff member I worked with or messaged at Progent was laser focused on getting us back on-line and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly identify and assign priority to the key areas that had to be recovered to make it possible to resume business functions:
To get going, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and removing active viruses. Progent then began the process of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not work without Active Directory, and the customer's financials and MRP system leveraged Microsoft SQL Server, which needs Active Directory for security authorization to the databases.
- Microsoft Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then initiated rebuilding and hard drive recovery of mission critical applications. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Offline Folder Files) on team desktop computers and laptops in order to recover email data. A recent offline backup of the businesses accounting/MRP systems made them able to recover these vital services back servicing users. Although a large amount of work still had to be done to recover completely from the Ryuk attack, essential services were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer shipments."
During the next couple of weeks important milestones in the restoration process were made through close collaboration between Progent consultants and the client:
- Self-hosted web applications were returned to operation without losing any data.
- The MailStore Exchange Server with over 4 million historical messages was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control modules were 100% recovered.
- A new Palo Alto 850 security appliance was set up.
- Most of the user workstations were operational.
"So much of what occurred in the initial days is nearly entirely a haze for me, but we will not forget the dedication each of your team accomplished to give us our company back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This situation was no exception but maybe more Herculean."
A probable enterprise-killing disaster was avoided with results-oriented experts, a broad spectrum of subject matter expertise, and close collaboration. Although in retrospect the ransomware penetration detailed here could have been prevented with current cyber security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed security procedures for data protection and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thanks very much for making it so I could get rested after we got past the initial fire. All of you did an incredible job, and if any of your team is around the Chicago area, dinner is my treat!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Joinville a range of online monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to uncover zero-day strains of crypto-ransomware that are able to evade traditional signature-based security products.
For Joinville 24-7 Crypto Cleanup Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to automate the entire threat progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via leading-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent's consultants can also help you to install and test a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with leading backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and allow non-disruptive backup and rapid restoration of vital files/folders, apps, images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, human error, malicious employees, or application bugs. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these fully managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized management and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of analysis for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to diagram, track, optimize and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, finding devices that require important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT personnel and your Progent consultant so that any potential issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to guard endpoints and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to address the complete threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Service Center: Call Center Managed Services
Progent's Support Center services enable your information technology staff to offload Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal network support team and Progent's extensive pool of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless extension of your core IT support resources. End user access to the Service Desk, delivery of support, problem escalation, ticket creation and tracking, performance measurement, and management of the service database are consistent whether incidents are taken care of by your in-house network support organization, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of all sizes a flexible and cost-effective solution for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving information network. In addition to maximizing the security and functionality of your computer network, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your information network. Read more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a protected application and give your password you are requested to confirm your identity via a unit that only you have and that is accessed using a different network channel. A broad range of devices can be utilized as this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register multiple validation devices. To find out more about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth management reporting tools designed to work with the industry's leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.