Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for businesses vulnerable to an assault. Different versions of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to inflict damage. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus daily unnamed viruses, not only do encryption of on-line data files but also infect any configured system protection. Files replicated to cloud environments can also be corrupted. In a poorly architected environment, it can render any restore operations useless and effectively sets the network back to zero.
Getting back applications and information after a ransomware attack becomes a sprint against time as the targeted organization struggles to contain, eradicate the ransomware, and restore business-critical activity. Due to the fact that ransomware needs time to spread, attacks are usually sprung on weekends, when attacks may take longer to recognize. This multiplies the difficulty of promptly assembling and orchestrating a capable response team.
Progent provides a variety of services for protecting organizations from ransomware attacks. These include team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with artificial intelligence technology from SentinelOne to discover and quarantine new cyber threats rapidly. Progent also offers the services of seasoned ransomware recovery engineers with the skills and commitment to reconstruct a breached system as urgently as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware invasion, sending the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the keys to decipher any of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The fallback is to re-install the critical elements of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide complement of IT skills, well-coordinated team management, and the capability to work non-stop until the task is done.
For twenty years, Progent has offered certified expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise gives Progent the skills to quickly identify critical systems and integrate the surviving parts of your Information Technology environment after a ransomware penetration and assemble them into a functioning network.
Progent's security group deploys powerful project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and together with a client's management and IT resources to prioritize tasks and to get critical services back online as soon as possible.
Customer Case Study: A Successful Ransomware Attack Response
A business hired Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly adopting algorithms exposed from America's National Security Agency. Ryuk targets specific companies with little room for operational disruption and is one of the most profitable instances of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago with around 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for good luck, but in the end brought in Progent.
"I can't say enough about the support Progent gave us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts provided us. That you could get our messaging and key servers back online faster than one week was incredible. Each expert I got help from or messaged at Progent was laser focused on getting our system up and was working 24 by 7 to bail us out."
Progent worked together with the client to quickly get our arms around and prioritize the most important services that had to be restored to make it possible to resume company operations:
- Windows Active Directory
- Microsoft Exchange Server
- Financials/MRP
To begin, Progent adhered to Anti-virus incident response best practices by halting the spread and disinfecting systems. Progent then initiated the task of recovering Microsoft AD, the core of enterprise networks built on Microsoft Windows Server technology. Exchange email will not operate without AD, and the client's MRP applications utilized Microsoft SQL Server, which requires Windows AD for security authorization to the database.
In less than two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery on the most important systems. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team desktop computers and laptops to recover email data. A not too old offline backup of the customer's manufacturing systems made it possible to recover these essential services back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, critical systems were recovered rapidly:
"For the most part, the production manufacturing operation showed little impact and we did not miss any customer sales."
Over the next couple of weeks important milestones in the restoration project were achieved in close collaboration between Progent engineers and the client:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were fully recovered.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the user workstations were back into operation.
"So much of what happened during the initial response is mostly a blur for me, but our team will not soon forget the care each and every one of your team put in to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was the most impressive ever."
Conclusion
A likely business-killing catastrophe was averted with top-tier experts, a wide spectrum of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus attack described here could have been identified and stopped with current cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we got past the initial fire. All of you did an amazing job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Leeds a portfolio of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services include next-generation AI technology to uncover new variants of crypto-ransomware that are able to get past traditional signature-based security products.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the state of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your Progent engineering consultant so any looming problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based platform for managing your network, server, and desktop devices by providing tools for performing common time-consuming jobs. These include health monitoring, patch management, automated remediation, endpoint setup, backup and restore, anti-virus response, remote access, built-in and custom scripts, asset inventory, endpoint profile reporting, and debugging help. When ProSight LAN Watch with NinjaOne RMM identifies a serious incident, it sends an alarm to your designated IT staff and your assigned Progent technical consultant so that potential issues can be taken care of before they impact productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, track, optimize and troubleshoot their connectivity appliances such as routers, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating tedious network management activities, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that require important updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of in-depth reporting plug-ins created to integrate with the industry's top ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with leading backup/restore technology providers to create ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup operations and allow transparent backup and rapid recovery of critical files/folders, applications, images, plus VMs. ProSight DPS lets you recover from data loss caused by equipment failures, natural calamities, fire, malware such as ransomware, human error, ill-intentioned employees, or software bugs. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to provide centralized management and world-class protection for all your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of inspection for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected application and enter your password you are asked to verify your identity on a device that only you have and that uses a different network channel. A broad range of devices can be used for this added means of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can designate several verification devices. To find out more about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services for access security.
- Outsourced/Co-managed Service Desk: Support Desk Managed Services
Progent's Call Desk services enable your IT group to offload Call Center services to Progent or split responsibilities for support services seamlessly between your in-house support staff and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a seamless extension of your corporate support team. User interaction with the Service Desk, provision of technical assistance, issue escalation, trouble ticket generation and tracking, performance metrics, and management of the support database are consistent regardless of whether incidents are resolved by your core IT support staff, by Progent, or both. Find out more about Progent's outsourced/shared Service Desk services.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior analysis tools to defend endpoints and servers and VMs against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to automate the entire threat lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your dynamic information network. Besides maximizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your IT staff to concentrate on more strategic projects and activities that derive the highest business value from your information network. Read more about Progent's software/firmware update management support services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a single platform to automate the complete threat lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent can also assist your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
For 24/7 Leeds CryptoLocker Cleanup Consulting, call Progent at 800-462-8800 or go to Contact Progent.