Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for organizations poorly prepared for an attack. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still inflict havoc. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as daily as yet unnamed viruses, not only do encryption of on-line information but also infect most accessible system restores and backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected system, this can make automated recovery impossible and basically knocks the entire system back to square one.
Getting back online programs and information following a crypto-ransomware intrusion becomes a race against time as the targeted organization fights to contain and cleanup the crypto-ransomware and to resume enterprise-critical activity. Since crypto-ransomware takes time to replicate, attacks are usually launched at night, when attacks are likely to take longer to notice. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified response team.
Progent offers an assortment of solutions for securing businesses from crypto-ransomware penetrations. These include staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security solutions with AI technology from SentinelOne to detect and suppress zero-day threats quickly. Progent in addition offers the assistance of experienced ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as rapidly as possible.
Progent's Ransomware Restoration Services
After a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the codes to decrypt any or all of your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the essential elements of your Information Technology environment. Without access to full data backups, this requires a broad complement of skill sets, top notch team management, and the ability to work 24x7 until the task is completed.
For two decades, Progent has made available professional Information Technology services for businesses in St. Paul and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience affords Progent the ability to rapidly determine necessary systems and re-organize the remaining pieces of your network system after a ransomware event and rebuild them into a functioning system.
Progent's security team deploys state-of-the-art project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to get the most important systems back on line as soon as humanly possible.
Business Case Study: A Successful Ransomware Penetration Response
A small business escalated to Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state cybercriminals, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk attacks specific companies with little or no tolerance for disruption and is one of the most profitable versions of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago and has around 500 workers. The Ryuk event had brought down all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.
"I cannot thank you enough about the support Progent gave us throughout the most fearful period of (our) businesses survival. We would have paid the cybercriminals except for the confidence the Progent team afforded us. That you were able to get our messaging and key applications back online quicker than five days was something I thought impossible. Every single staff member I interacted with or messaged at Progent was absolutely committed on getting us restored and was working all day and night to bail us out."
Progent worked together with the client to quickly get our arms around and prioritize the most important applications that had to be restored in order to restart departmental operations:
To get going, Progent adhered to AV/Malware Processes penetration mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the task of rebuilding Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the customer's MRP applications used Microsoft SQL Server, which needs Active Directory for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange
- MRP System
In less than 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then performed rebuilding and hard drive recovery of key systems. All Microsoft Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate local OST files (Outlook Email Off-Line Folder Files) on staff workstations and laptops to recover mail messages. A recent offline backup of the customer's financials/ERP systems made them able to restore these essential services back on-line. Although major work still had to be done to recover completely from the Ryuk event, core services were recovered rapidly:
"For the most part, the production line operation showed little impact and we made all customer deliverables."
Throughout the following few weeks important milestones in the restoration project were made through tight collaboration between Progent engineers and the client:
- Internal web sites were brought back up without losing any information.
- The MailStore Server exceeding four million archived messages was restored to operations and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory functions were completely operational.
- A new Palo Alto 850 security appliance was brought on-line.
- Ninety percent of the user PCs were operational.
"A lot of what happened during the initial response is mostly a blur for me, but we will not soon forget the commitment all of the team put in to help get our company back. I've trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This time was a life saver."
A potential business-ending catastrophe was dodged with dedicated professionals, a broad range of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here would have been prevented with advanced cyber security solutions and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for information protection and applying software patches, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for allowing me to get some sleep after we made it over the first week. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in St. Paul a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of ransomware that are able to evade traditional signature-based security solutions.
For 24/7/365 St. Paul Ransomware Recovery Support Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including filtering, identification, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your company's unique needs and that helps you prove compliance with government and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent can also help you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with leading backup/restore software companies to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow transparent backup and rapid recovery of vital files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural disasters, fire, malware like ransomware, user error, malicious employees, or application glitches. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to provide web-based management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard integrates cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper layer of inspection for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding appliances that require important software patches, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your Progent engineering consultant so any looming problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate as much as half of time spent looking for critical information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to guard endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. Progent ASM services protect local and cloud resources and provides a single platform to address the complete threat progression including filtering, identification, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Help Desk: Help Desk Managed Services
Progent's Call Desk services allow your information technology staff to outsource Call Center services to Progent or split activity for Service Desk support seamlessly between your in-house network support resources and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent supplement to your corporate support group. End user access to the Service Desk, provision of support services, escalation, ticket creation and tracking, efficiency metrics, and management of the support database are cohesive whether issues are taken care of by your core network support organization, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. Besides maximizing the security and reliability of your computer network, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a protected application and give your password you are requested to confirm your identity on a unit that only you have and that is accessed using a different network channel. A wide selection of out-of-band devices can be utilized for this added form of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may register multiple validation devices. To find out more about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of in-depth reporting utilities created to work with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.