Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses unprepared for an attack. Different versions of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to cause damage. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as frequent unnamed viruses, not only do encryption of online data files but also infect all available system protection mechanisms. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can make automated restore operations impossible and effectively sets the entire system back to square one.
Getting back on-line applications and information after a crypto-ransomware intrusion becomes a sprint against the clock as the victim fights to stop lateral movement, remove the virus, and restore enterprise-critical operations. Because ransomware needs time to spread, assaults are often launched during nights and weekends, when penetrations typically take more time to identify. This multiplies the difficulty of quickly marshalling and coordinating a qualified response team.
Progent has an assortment of support services for securing businesses from crypto-ransomware events. Among these are user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security gateways with artificial intelligence capabilities from SentinelOne to detect and suppress zero-day threats intelligently. Progent also can provide the assistance of expert ransomware recovery professionals with the talent and perseverance to restore a breached system as urgently as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the keys to unencrypt any of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom can be in the millions. The other path is to re-install the critical parts of your IT environment. Without access to full information backups, this calls for a broad complement of IT skills, professional project management, and the ability to work continuously until the job is over.
For decades, Progent has provided expert Information Technology services for companies across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise provides Progent the capability to quickly identify important systems and integrate the remaining pieces of your Information Technology system following a ransomware attack and rebuild them into an operational system.
Progent's security team of experts utilizes powerful project management applications to coordinate the complex restoration process. Progent appreciates the urgency of acting quickly and in concert with a customer's management and IT resources to prioritize tasks and to put essential systems back online as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A client escalated to Progent after their network system was brought down by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, suspected of adopting strategies leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no room for operational disruption and is one of the most lucrative incarnations of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has around 500 workers. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200K) and hoping for the best, but ultimately made the decision to use Progent.
"I cannot speak enough in regards to the support Progent gave us throughout the most critical time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent team provided us. That you could get our e-mail and production servers back online quicker than one week was incredible. Every single consultant I interacted with or texted at Progent was absolutely committed on getting us back on-line and was working at all hours on our behalf."
Progent worked hand in hand the customer to quickly determine and prioritize the most important areas that needed to be restored in order to continue business operations:
- Active Directory (AD)
- Exchange Server
- Financials/MRP
To get going, Progent followed Anti-virus incident mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the work of restoring Microsoft AD, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's accounting and MRP system leveraged Microsoft SQL Server, which requires Active Directory services for access to the information.
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery on critical servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Email Offline Data Files) on various desktop computers to recover mail data. A recent offline backup of the customer's manufacturing systems made them able to return these essential services back online. Although significant work needed to be completed to recover totally from the Ryuk damage, critical services were restored rapidly:
"For the most part, the production line operation never missed a beat and we made all customer sales."
Over the next month critical milestones in the restoration project were achieved through tight collaboration between Progent consultants and the customer:
- In-house web sites were returned to operation without losing any information.
- The MailStore Exchange Server containing more than 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were completely recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Most of the user desktops and notebooks were fully operational.
"A lot of what occurred that first week is mostly a fog for me, but our team will not forget the urgency each of you accomplished to give us our business back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered as promised. This situation was a testament to your capabilities."
Conclusion
A potential company-ending catastrophe was averted with hard-working experts, a wide array of subject matter expertise, and close teamwork. Although in retrospect the crypto-ransomware virus incident described here would have been blocked with up-to-date security systems and ISO/IEC 27001 best practices, team training, and well designed security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for making it so I could get some sleep after we made it over the first week. Everyone did an incredible effort, and if anyone is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Leeds a range of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services include next-generation artificial intelligence technology to detect new strains of crypto-ransomware that are able to get past traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to address the entire threat progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry data security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with leading backup software companies to create ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and allow transparent backup and fast restoration of critical files/folders, applications, images, and virtual machines. ProSight DPS lets your business protect against data loss caused by equipment failures, natural calamities, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security vendors to provide centralized control and world-class protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, optimize and troubleshoot their connectivity appliances such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always updated, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that require critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that any looming issues can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can eliminate as much as half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Read more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to address the entire threat progression including blocking, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Call Desk: Call Center Managed Services
Progent's Call Center services allow your IT group to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your internal network support group and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your in-house IT support organization. End user interaction with the Help Desk, delivery of support services, issue escalation, ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether incidents are resolved by your core network support resources, by Progent's team, or both. Read more about Progent's outsourced/shared Service Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the security and reliability of your computer network, Progent's software/firmware update management services permit your in-house IT team to focus on line-of-business initiatives and tasks that deliver maximum business value from your information network. Read more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo authentication services incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a protected application and give your password you are asked to verify who you are via a unit that only you have and that uses a different network channel. A broad range of devices can be used as this added means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. To learn more about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth management reporting tools created to integrate with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Leeds 24-7 Ransomware Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.