Ransomware : Your Feared IT Catastrophe
Ransomware has become a modern cyberplague that presents an extinction-level threat for organizations vulnerable to an attack. Different versions of ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus additional unnamed malware, not only encrypt online data files but also infect most accessible system backups. Files synchronized to cloud environments can also be ransomed. In a poorly architected environment, it can render automatic recovery useless and effectively sets the datacenter back to zero.
Getting back on-line services and data after a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement and remove the crypto-ransomware and to restore business-critical activity. Since crypto-ransomware requires time to spread, penetrations are often launched during weekends and nights, when penetrations may take more time to notice. This compounds the difficulty of rapidly mobilizing and coordinating a qualified mitigation team.
Progent has a range of support services for protecting organizations from ransomware attacks. These include user training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with machine learning technology from SentinelOne to detect and suppress day-zero cyber threats automatically. Progent also offers the services of seasoned ransomware recovery engineers with the skills and perseverance to re-deploy a breached environment as soon as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the codes to decipher any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the mission-critical elements of your IT environment. Without access to full information backups, this calls for a wide range of skills, well-coordinated team management, and the willingness to work continuously until the recovery project is complete.
For decades, Progent has provided expert IT services for companies in Leeds and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the skills to rapidly identify critical systems and integrate the surviving pieces of your network system following a ransomware attack and rebuild them into a functioning system.
Progent's ransomware team of experts uses powerful project management systems to coordinate the complex restoration process. Progent understands the importance of working swiftly and in unison with a customer's management and IT team members to prioritize tasks and to get the most important services back on line as soon as possible.
Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business contacted Progent after their company was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored cybercriminals, possibly using strategies exposed from the United States NSA organization. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is one of the most profitable instances of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with around 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and praying for the best, but in the end utilized Progent.
"I cannot say enough about the help Progent gave us during the most stressful period of (our) company's survival. We would have paid the cyber criminals except for the confidence the Progent experts afforded us. The fact that you could get our messaging and production servers back into operation quicker than a week was something I thought impossible. Each staff member I worked with or messaged at Progent was hell bent on getting us working again and was working breakneck pace on our behalf."
Progent worked together with the client to quickly assess and assign priority to the mission critical systems that needed to be recovered in order to resume departmental functions:
- Windows Active Directory
- Exchange Server
- Accounting/MRP
To get going, Progent followed ransomware penetration response best practices by halting the spread and disinfecting systems. Progent then began the steps of restoring Microsoft Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customer's accounting and MRP software utilized Microsoft SQL, which requires Active Directory for access to the information.
Within two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery of the most important applications. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST files (Outlook Off-Line Folder Files) on staff PCs and laptops in order to recover mail messages. A recent off-line backup of the businesses financials/MRP software made them able to return these essential services back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk virus, essential services were restored quickly:
"For the most part, the production operation never missed a beat and we delivered all customer sales."
Over the following month important milestones in the restoration project were made through close collaboration between Progent team members and the client:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Exchange Server exceeding four million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were fully operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Most of the user workstations were being used by staff.
"So much of what happened that first week is mostly a blur for me, but my team will not forget the care all of the team put in to give us our business back. I have trusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This event was a stunning achievement."
Conclusion
A potential business disaster was avoided by dedicated professionals, a broad range of technical expertise, and close collaboration. Although in retrospect the ransomware virus incident detailed here would have been disabled with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), I'm grateful for making it so I could get some sleep after we made it past the first week. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Leeds a portfolio of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services utilize modern AI capability to detect zero-day variants of crypto-ransomware that are able to evade legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to address the complete threat progression including protection, detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge tools packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you prove compliance with legal and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate action. Progent can also assist your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore software providers to produce ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup processes and allow non-disruptive backup and fast restoration of critical files/folders, applications, system images, plus virtual machines. ProSight DPS helps you protect against data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, human error, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to deliver centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating complex management and troubleshooting activities, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that need important updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your IT system running at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management personnel and your assigned Progent consultant so that any looming problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior analysis technology to defend endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to address the entire threat lifecycle including filtering, detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Call Desk: Call Center Managed Services
Progent's Support Desk managed services permit your information technology group to offload Call Center services to Progent or divide activity for Service Desk support transparently between your in-house support team and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless extension of your in-house IT support team. End user access to the Service Desk, provision of support, issue escalation, trouble ticket generation and tracking, efficiency measurement, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your in-house support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Call Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer organizations of any size a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. In addition to maximizing the security and functionality of your computer environment, Progent's software/firmware update management services allow your in-house IT team to concentrate on line-of-business initiatives and tasks that derive the highest business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With Duo 2FA, whenever you log into a protected online account and enter your password you are asked to verify who you are via a device that only you have and that is accessed using a different network channel. A wide range of devices can be utilized for this second form of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may designate several validation devices. For details about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of in-depth management reporting plug-ins designed to work with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Leeds 24/7/365 CryptoLocker Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.