Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still inflict havoc. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus more as yet unnamed viruses, not only do encryption of online files but also infect most available system backups. Data synched to the cloud can also be ransomed. In a poorly designed data protection solution, this can render automatic recovery useless and effectively sets the entire system back to zero.
Restoring services and data following a crypto-ransomware attack becomes a race against time as the victim struggles to stop the spread and cleanup the ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to move laterally, penetrations are usually sprung during weekends and nights, when penetrations typically take more time to recognize. This compounds the difficulty of quickly assembling and coordinating a knowledgeable response team.
Progent makes available a variety of services for securing organizations from crypto-ransomware events. Among these are team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with machine learning capabilities from SentinelOne to identify and extinguish new cyber threats quickly. Progent also offers the assistance of expert ransomware recovery professionals with the skills and commitment to re-deploy a breached system as urgently as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed codes to unencrypt any of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the critical components of your IT environment. Without access to complete data backups, this calls for a broad range of skill sets, professional team management, and the willingness to work non-stop until the recovery project is complete.
For twenty years, Progent has offered expert IT services for companies in Richmond and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience gives Progent the capability to rapidly ascertain critical systems and re-organize the surviving components of your Information Technology system following a crypto-ransomware attack and assemble them into an operational system.
Progent's security group deploys top notch project management tools to coordinate the complex recovery process. Progent knows the urgency of acting rapidly and in unison with a client's management and IT team members to assign priority to tasks and to get critical systems back online as soon as humanly possible.
Client Story: A Successful Ransomware Penetration Response
A client escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, possibly adopting strategies exposed from the United States National Security Agency. Ryuk seeks specific businesses with limited tolerance for operational disruption and is one of the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk attack had shut down all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end utilized Progent.
"I can't tell you enough about the care Progent provided us during the most stressful period of (our) businesses survival. We may have had to pay the criminal gangs if it wasn't for the confidence the Progent group provided us. The fact that you were able to get our messaging and production servers back on-line faster than seven days was amazing. Each expert I got help from or messaged at Progent was amazingly focused on getting us back online and was working day and night on our behalf."
Progent worked hand in hand the client to quickly determine and prioritize the key elements that had to be recovered to make it possible to restart departmental operations:
- Windows Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
To start, Progent followed ransomware event response best practices by isolating and removing active viruses. Progent then began the work of restoring Microsoft Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the businesses' MRP software leveraged Microsoft SQL, which needs Active Directory services for access to the data.
In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then helped perform reinstallations and storage recovery of needed applications. All Microsoft Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate local OST files (Outlook Offline Data Files) on staff PCs and laptops in order to recover email information. A recent offline backup of the client's accounting systems made them able to restore these vital applications back on-line. Although major work was left to recover totally from the Ryuk virus, critical systems were restored quickly:
"For the most part, the production operation was never shut down and we produced all customer orders."
During the next few weeks critical milestones in the recovery project were achieved through close cooperation between Progent team members and the client:
- In-house web sites were brought back up with no loss of data.
- The MailStore Server with over four million historical emails was brought online and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
- A new Palo Alto 850 firewall was deployed.
- Ninety percent of the desktops and laptops were back into operation.
"A lot of what was accomplished in the initial days is mostly a haze for me, but we will not soon forget the care each and every one of your team put in to give us our business back. I've been working with Progent for the past 10 years, possibly more, and every time Progent has shined and delivered. This time was a Herculean accomplishment."
Conclusion
A potential business disaster was averted through the efforts of hard-working experts, a wide spectrum of knowledge, and close collaboration. Although upon completion of forensics the ransomware incident detailed here would have been shut down with up-to-date cyber security solutions and security best practices, team training, and properly executed incident response procedures for data backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we made it past the most critical parts. All of you did an amazing effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Richmond a variety of remote monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services incorporate modern artificial intelligence capability to uncover new variants of ransomware that are able to get past traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a single platform to automate the entire malware attack lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that helps you demonstrate compliance with government and industry information security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has worked with advanced backup software companies to produce ProSight Data Protection Services, a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and enable non-disruptive backup and rapid restoration of vital files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security vendors to deliver web-based control and comprehensive security for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, optimize and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding devices that require critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the health of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management personnel and your Progent consultant so that any looming problems can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior machine learning technology to guard endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to address the entire malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Call Desk: Call Center Managed Services
Progent's Call Desk managed services permit your information technology staff to outsource Support Desk services to Progent or split activity for Help Desk services seamlessly between your internal support team and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless supplement to your corporate IT support team. End user access to the Help Desk, delivery of technical assistance, problem escalation, ticket generation and tracking, performance measurement, and management of the support database are consistent whether incidents are resolved by your corporate support staff, by Progent, or both. Learn more about Progent's outsourced/co-managed Service Desk services.
- Progent's Patch Management: Patch Management Services
Progent's support services for patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. In addition to optimizing the protection and functionality of your IT network, Progent's patch management services permit your IT staff to focus on more strategic projects and tasks that derive the highest business value from your network. Find out more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a protected application and enter your password you are asked to verify your identity on a device that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized for this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of in-depth management reporting tools designed to work with the leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Richmond Crypto Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.