Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Different versions of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus frequent as yet unnamed newcomers, not only encrypt online information but also infect any available system protection. Files synchronized to the cloud can also be held hostage. In a vulnerable system, this can render automated restore operations hopeless and basically knocks the entire system back to square one.
Recovering services and data following a ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement, clear the ransomware, and resume enterprise-critical operations. Due to the fact that ransomware takes time to replicate, attacks are frequently sprung on weekends and holidays, when successful attacks in many cases take more time to recognize. This compounds the difficulty of rapidly marshalling and organizing a knowledgeable response team.
Progent makes available a range of support services for securing businesses from crypto-ransomware attacks. These include user training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security appliances with machine learning capabilities from SentinelOne to discover and disable zero-day cyber threats quickly. Progent also provides the services of experienced crypto-ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware event, paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the codes to unencrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The other path is to setup from scratch the essential components of your IT environment. Without the availability of complete information backups, this requires a broad range of skill sets, top notch team management, and the willingness to work 24x7 until the task is done.
For twenty years, Progent has offered professional IT services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the skills to efficiently identify important systems and organize the surviving pieces of your computer network system following a ransomware penetration and rebuild them into an operational system.
Progent's security team of experts has top notch project management systems to orchestrate the sophisticated recovery process. Progent understands the importance of acting quickly and in concert with a customer's management and IT staff to assign priority to tasks and to put critical systems back online as soon as possible.
Business Case Study: A Successful Ransomware Attack Response
A customer engaged Progent after their company was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, suspected of using strategies exposed from the U.S. NSA organization. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most profitable versions of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area with around 500 staff members. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the attack and were destroyed. The client was taking steps for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.
"I can't say enough in regards to the expertise Progent provided us throughout the most stressful period of (our) businesses existence. We may have had to pay the criminal gangs except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and production servers back quicker than one week was beyond my wildest dreams. Each expert I spoke to or e-mailed at Progent was totally committed on getting us working again and was working 24/7 on our behalf."
Progent worked hand in hand the client to rapidly determine and assign priority to the critical applications that had to be recovered to make it possible to resume company functions:
- Active Directory (AD)
- Electronic Mail
- Accounting and Manufacturing Software
To begin, Progent followed Anti-virus penetration response industry best practices by isolating and cleaning systems of viruses. Progent then began the work of recovering Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the businesses' accounting and MRP software utilized SQL Server, which requires Active Directory services for access to the database.
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then performed reinstallations and storage recovery of key servers. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Folder Files) on various PCs and laptops to recover email data. A not too old offline backup of the customer's manufacturing software made it possible to restore these required services back available to users. Although major work still had to be done to recover completely from the Ryuk event, the most important systems were returned to operations rapidly:
"For the most part, the production operation ran fairly normal throughout and we made all customer orders."
During the following few weeks important milestones in the recovery process were made through close collaboration between Progent consultants and the customer:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Exchange Server exceeding four million historical messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were 100% restored.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"Much of what went on those first few days is nearly entirely a haze for me, but I will not forget the urgency each of the team put in to give us our business back. I've been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This time was a testament to your capabilities."
Conclusion
A likely business-killing catastrophe was averted by hard-working experts, a wide spectrum of technical expertise, and tight teamwork. Although in post mortem the ransomware attack described here would have been shut down with advanced cyber security systems and recognized best practices, user and IT administrator training, and well thought out incident response procedures for data backup and proper patching controls, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), thanks very much for making it so I could get some sleep after we made it through the first week. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Richmond a portfolio of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern AI capability to detect zero-day strains of ransomware that are able to escape detection by legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including blocking, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with leading backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup processes and enable transparent backup and fast recovery of vital files, apps, images, and virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed backup services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security companies to provide web-based control and comprehensive protection for your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a further level of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, monitor, optimize and debug their connectivity hardware such as routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex network management activities, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding appliances that need important updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can save as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to guard endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to manage the complete threat progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Help Center managed services permit your information technology team to outsource Support Desk services to Progent or divide activity for support services seamlessly between your internal support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent extension of your core network support organization. Client access to the Help Desk, delivery of support services, escalation, trouble ticket creation and updates, performance measurement, and maintenance of the service database are consistent regardless of whether issues are resolved by your internal network support group, by Progent's team, or both. Read more about Progent's outsourced/co-managed Help Center services.
- Progent's Patch Management: Patch Management Services
Progent's support services for patch management offer organizations of any size a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your computer environment, Progent's patch management services allow your in-house IT team to focus on line-of-business projects and tasks that derive the highest business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and enter your password you are requested to verify your identity on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be utilized for this second means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can register several validation devices. To find out more about ProSight Duo two-factor identity authentication services, see Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time reporting utilities created to work with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Richmond Crypto Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.