Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for many years and continue to cause damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with frequent unnamed newcomers, not only encrypt online information but also infiltrate all configured system restores and backups. Files synched to the cloud can also be encrypted. In a vulnerable system, this can render any restoration hopeless and effectively knocks the datacenter back to zero.
Getting back on-line services and data after a ransomware outage becomes a sprint against time as the victim struggles to stop lateral movement, clear the crypto-ransomware, and restore enterprise-critical activity. Since crypto-ransomware takes time to spread, penetrations are usually launched during weekends and nights, when successful penetrations may take more time to uncover. This multiplies the difficulty of rapidly marshalling and coordinating a qualified response team.
Progent provides a range of help services for securing organizations from crypto-ransomware attacks. These include user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security solutions with artificial intelligence capabilities from SentinelOne to detect and disable zero-day cyber threats automatically. Progent in addition offers the assistance of seasoned crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to decrypt all your data. Kaspersky determined that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom can reach millions of dollars. The fallback is to piece back together the key components of your IT environment. Without access to essential information backups, this requires a wide range of skill sets, top notch project management, and the ability to work continuously until the recovery project is completed.
For decades, Progent has offered expert Information Technology services for companies throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly determine necessary systems and organize the surviving parts of your IT environment after a crypto-ransomware event and configure them into a functioning system.
Progent's recovery group uses top notch project management applications to orchestrate the sophisticated recovery process. Progent knows the importance of acting rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to put the most important systems back online as soon as possible.
Case Study: A Successful Ransomware Incident Recovery
A business sought out Progent after their organization was attacked by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state hackers, suspected of using algorithms exposed from America's NSA organization. Ryuk seeks specific businesses with little or no ability to sustain operational disruption and is one of the most profitable incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago with around 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately brought in Progent.
"I cannot speak enough in regards to the support Progent provided us throughout the most stressful time of (our) company's survival. We most likely would have paid the Hackers if it wasn't for the confidence the Progent experts gave us. The fact that you could get our messaging and critical servers back in less than 1 week was earth shattering. Every single consultant I worked with or texted at Progent was hell bent on getting our system up and was working breakneck pace to bail us out."
Progent worked with the client to rapidly determine and assign priority to the essential applications that needed to be recovered in order to restart company operations:
- Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes penetration response industry best practices by halting the spread and disinfecting systems. Progent then started the work of restoring Microsoft AD, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Active Directory, and the customer's financials and MRP software leveraged Microsoft SQL Server, which needs Active Directory services for authentication to the information.
In less than 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery of critical applications. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team workstations and laptops to recover email information. A recent offline backup of the businesses accounting/MRP systems made it possible to return these vital applications back available to users. Although a lot of work still had to be done to recover fully from the Ryuk event, core services were recovered quickly:
"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer deliverables."
Throughout the next couple of weeks important milestones in the restoration process were made through close collaboration between Progent team members and the customer:
- Internal web applications were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than four million historical messages was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Ninety percent of the user workstations were fully operational.
"Much of what was accomplished those first few days is nearly entirely a haze for me, but my management will not forget the commitment each of the team put in to give us our company back. I've trusted Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This event was a life saver."
Conclusion
A possible business catastrophe was averted with top-tier professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in post mortem the ransomware attack detailed here should have been prevented with current security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we got through the most critical parts. All of you did an impressive effort, and if any of your team is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Joinville a range of remote monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services utilize modern machine learning capability to detect new strains of ransomware that are able to evade traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the entire threat lifecycle including protection, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services offer affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through leading-edge tools incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your company's unique needs and that helps you prove compliance with legal and industry information protection regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and allow transparent backup and rapid restoration of important files, applications, images, and VMs. ProSight DPS helps your business recover from data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to provide web-based management and world-class protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a further level of analysis for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, track, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating devices that need critical software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can eliminate up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to guard endpoint devices as well as servers and VMs against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Help Center: Help Desk Managed Services
Progent's Call Center managed services permit your information technology staff to outsource Help Desk services to Progent or split activity for Service Desk support transparently between your internal network support staff and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless supplement to your in-house support organization. Client interaction with the Service Desk, delivery of technical assistance, issue escalation, ticket generation and tracking, performance measurement, and management of the support database are consistent whether issues are resolved by your corporate support organization, by Progent, or both. Find out more about Progent's outsourced/shared Call Center services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving IT system. In addition to optimizing the security and functionality of your computer environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic projects and activities that derive maximum business value from your information network. Read more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against password theft by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a secured online account and enter your password you are asked to verify who you are via a unit that only you have and that is accessed using a different network channel. A broad selection of devices can be used for this added means of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple validation devices. To find out more about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time management reporting utilities created to integrate with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Joinville 24/7/365 Ransomware Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.