Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyberplague that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause destruction. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus daily as yet unnamed malware, not only encrypt online critical data but also infect any accessible system restores and backups. Files synchronized to cloud environments can also be encrypted. In a poorly designed system, this can make automatic restoration useless and effectively sets the entire system back to square one.
Retrieving programs and data after a ransomware attack becomes a sprint against time as the victim fights to contain and cleanup the virus and to resume enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are often sprung at night, when successful attacks may take longer to identify. This compounds the difficulty of rapidly mobilizing and coordinating an experienced response team.
Progent has a variety of services for securing organizations from ransomware attacks. These include team member training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence capabilities from SentinelOne to detect and quarantine day-zero cyber threats quickly. Progent in addition can provide the services of expert ransomware recovery professionals with the skills and commitment to rebuild a breached environment as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to unencrypt all your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the vital components of your IT environment. Absent the availability of essential information backups, this requires a broad complement of skills, professional team management, and the willingness to work non-stop until the task is over.
For two decades, Progent has offered certified expert Information Technology services for companies in Leeds and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of experience affords Progent the ability to rapidly ascertain important systems and organize the surviving parts of your network environment following a ransomware attack and configure them into a functioning network.
Progent's ransomware team of experts has powerful project management systems to orchestrate the sophisticated restoration process. Progent appreciates the urgency of acting quickly and together with a client's management and IT resources to prioritize tasks and to get critical systems back on line as fast as humanly possible.
Case Study: A Successful Ransomware Penetration Restoration
A small business hired Progent after their organization was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little or no tolerance for disruption and is one of the most lucrative incarnations of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk attack had disabled all company operations and manufacturing processes. Most of the client's system backups had been online at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately reached out to Progent.
"I can't speak enough in regards to the help Progent provided us during the most critical time of (our) company's existence. We had little choice but to pay the criminal gangs if not for the confidence the Progent team gave us. That you were able to get our e-mail and key servers back into operation in less than five days was incredible. Every single consultant I interacted with or e-mailed at Progent was amazingly focused on getting my company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the client to quickly determine and assign priority to the essential services that had to be restored to make it possible to continue departmental functions:
To start, Progent followed AV/Malware Processes event mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then started the work of restoring Microsoft AD, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the businesses' MRP system utilized Microsoft SQL, which requires Windows AD for security authorization to the data.
- Microsoft Active Directory
- Electronic Messaging
Within two days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then helped perform setup and hard drive recovery of essential applications. All Exchange data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Offline Data Files) on staff workstations to recover mail messages. A not too old off-line backup of the customer's financials/ERP systems made it possible to restore these required services back online for users. Although major work remained to recover completely from the Ryuk damage, critical systems were returned to operations quickly:
"For the most part, the production operation survived unscathed and we produced all customer orders."
Over the following couple of weeks important milestones in the restoration project were made in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Server exceeding 4 million archived messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were completely operational.
- A new Palo Alto 850 security appliance was installed.
- Ninety percent of the user PCs were being used by staff.
"Much of what was accomplished that first week is nearly entirely a fog for me, but our team will not forget the dedication each and every one of you accomplished to give us our business back. I have utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This situation was a life saver."
A likely business-killing catastrophe was dodged by top-tier experts, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the ransomware attack described here would have been identified and disabled with advanced security solutions and NIST Cybersecurity Framework best practices, user education, and well designed security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get some sleep after we got over the most critical parts. All of you did an impressive job, and if anyone that helped is around the Chicago area, dinner is on me!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Leeds a portfolio of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services include modern machine learning technology to uncover new strains of crypto-ransomware that can get past traditional signature-based security products.
For Leeds 24-7 Ransomware Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the complete malware attack progression including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your company's unique needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your backup processes and enable transparent backup and fast restoration of critical files/folders, apps, images, plus virtual machines. ProSight DPS lets you avoid data loss caused by equipment failures, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or software glitches. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security companies to deliver centralized control and comprehensive security for all your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of inspection for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, optimize and debug their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration of almost all devices on your network, monitors performance, and sends alerts when issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, locating devices that need important software patches, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management technology to help keep your IT system running efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent consultant so all potential problems can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved easily to a different hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based analysis tools to defend endpoint devices and physical and virtual servers against new malware attacks like ransomware and email phishing, which easily get by legacy signature-matching anti-virus products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to manage the complete malware attack progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Call Desk: Call Center Managed Services
Progent's Help Center services allow your information technology team to offload Help Desk services to Progent or split responsibilities for support services transparently between your internal network support staff and Progent's nationwide roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth supplement to your internal support organization. End user interaction with the Service Desk, delivery of support services, issue escalation, trouble ticket creation and updates, efficiency metrics, and management of the service database are consistent regardless of whether issues are resolved by your in-house IT support group, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of all sizes a versatile and affordable solution for evaluating, validating, scheduling, applying, and documenting updates to your dynamic information network. Besides optimizing the security and functionality of your computer network, Progent's patch management services free up time for your IT staff to focus on more strategic projects and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and give your password you are requested to confirm your identity on a device that only you have and that uses a different ("out-of-band") network channel. A broad range of devices can be utilized as this second means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. To find out more about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of real-time management reporting tools created to work with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.