Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyber pandemic that poses an existential danger for organizations unprepared for an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause harm. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional as yet unnamed newcomers, not only do encryption of on-line data but also infiltrate many available system restores and backups. Information synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can render automatic restore operations useless and basically sets the network back to square one.
Recovering programs and data after a ransomware outage becomes a sprint against time as the targeted business fights to contain the damage and clear the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware takes time to spread, attacks are frequently sprung on weekends and holidays, when successful penetrations tend to take more time to uncover. This compounds the difficulty of quickly assembling and orchestrating a capable response team.
Progent makes available an assortment of help services for securing businesses from ransomware penetrations. Among these are user training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with machine learning capabilities from SentinelOne to discover and disable day-zero threats rapidly. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a compromised system as soon as possible.
Progent's Ransomware Recovery Services
Following a crypto-ransomware event, sending the ransom demands in cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the essential elements of your IT environment. Without the availability of essential system backups, this calls for a broad range of skill sets, well-coordinated team management, and the ability to work continuously until the task is completed.
For twenty years, Progent has offered professional Information Technology services for companies in St. Paul and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience affords Progent the skills to knowledgably understand critical systems and consolidate the surviving components of your IT environment after a ransomware penetration and configure them into an operational system.
Progent's recovery team has powerful project management tools to orchestrate the complex recovery process. Progent understands the urgency of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put essential systems back online as soon as possible.
Customer Case Study: A Successful Ransomware Incident Recovery
A small business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state criminal gangs, possibly using technology exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with limited ability to sustain disruption and is one of the most lucrative instances of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's data protection had been online at the time of the intrusion and were eventually encrypted. The client considered paying the ransom (more than $200,000) and praying for the best, but ultimately reached out to Progent.
"I can't speak enough in regards to the care Progent gave us throughout the most critical period of (our) businesses life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. That you were able to get our e-mail system and key applications back faster than 1 week was beyond my wildest dreams. Each expert I worked with or texted at Progent was absolutely committed on getting my company operational and was working 24/7 on our behalf."
Progent worked with the client to quickly determine and prioritize the most important areas that needed to be restored to make it possible to resume company operations:
- Microsoft Active Directory
- Microsoft Exchange Server
- Financials/MRP
To start, Progent adhered to Anti-virus penetration mitigation best practices by halting the spread and removing active viruses. Progent then started the work of recovering Microsoft AD, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businesses' MRP software used SQL Server, which requires Windows AD for authentication to the database.
Within two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then performed setup and storage recovery of essential systems. All Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Offline Data Files) on user PCs and laptops in order to recover email information. A recent offline backup of the client's financials/MRP software made it possible to recover these vital applications back online for users. Although a lot of work still had to be done to recover fully from the Ryuk attack, the most important services were recovered quickly:
"For the most part, the assembly line operation never missed a beat and we delivered all customer shipments."
During the following month key milestones in the restoration process were made in tight cooperation between Progent consultants and the customer:
- In-house web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were 100% restored.
- A new Palo Alto 850 security appliance was set up and programmed.
- 90% of the user workstations were fully operational.
"So much of what happened that first week is mostly a haze for me, but my team will not forget the dedication each and every one of your team accomplished to give us our company back. I've trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered as promised. This situation was the most impressive ever."
Conclusion
A probable company-ending disaster was avoided due to results-oriented professionals, a broad spectrum of technical expertise, and close teamwork. Although in retrospect the ransomware virus incident described here would have been identified and prevented with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate security procedures for information protection and proper patching controls, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get rested after we got through the initial fire. All of you did an incredible effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in St. Paul a range of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day strains of ransomware that can escape detection by traditional signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including filtering, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with legal and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also assist you to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has partnered with advanced backup technology providers to create ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and rapid restoration of critical files, apps, system images, and VMs. ProSight DPS lets your business avoid data loss resulting from hardware failures, natural calamities, fire, malware such as ransomware, user error, ill-intentioned insiders, or application glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to provide centralized control and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of analysis for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious management activities, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that require critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your Progent consultant so that any looming issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can save up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based analysis tools to guard endpoint devices as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. Progent Active Security Monitoring services protect local and cloud resources and offers a single platform to address the complete malware attack progression including protection, identification, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Call Center: Call Center Managed Services
Progent's Support Center managed services permit your information technology staff to offload Help Desk services to Progent or split activity for Service Desk support transparently between your internal network support resources and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your internal support staff. End user interaction with the Help Desk, provision of technical assistance, issue escalation, ticket generation and tracking, performance metrics, and maintenance of the service database are consistent regardless of whether issues are taken care of by your corporate support organization, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking updates to your dynamic IT system. In addition to maximizing the security and functionality of your IT network, Progent's patch management services allow your IT staff to concentrate on line-of-business projects and tasks that deliver maximum business value from your information network. Find out more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification on iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a secured online account and give your password you are requested to verify your identity via a unit that only you have and that uses a separate network channel. A broad selection of devices can be utilized for this second form of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may register several validation devices. To learn more about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time management reporting tools created to work with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For St. Paul 24x7x365 CryptoLocker Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.