Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyberplague that represents an extinction-level danger for organizations poorly prepared for an attack. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for many years and still inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional unnamed malware, not only do encryption of on-line critical data but also infect most available system backup. Files replicated to the cloud can also be corrupted. In a poorly designed environment, this can make any restore operations hopeless and basically knocks the entire system back to square one.
Recovering services and information after a crypto-ransomware outage becomes a sprint against time as the victim struggles to contain the damage and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are often launched during weekends and nights, when penetrations typically take more time to uncover. This compounds the difficulty of promptly assembling and orchestrating a capable response team.
Progent provides a range of services for securing organizations from ransomware attacks. Among these are team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security appliances with artificial intelligence capabilities from SentinelOne to identify and extinguish zero-day cyber attacks rapidly. Progent also offers the services of expert ransomware recovery professionals with the track record and perseverance to restore a breached environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
After a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the needed codes to decipher any of your information. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the key elements of your IT environment. Without access to full data backups, this calls for a broad range of skills, well-coordinated team management, and the ability to work 24x7 until the job is finished.
For twenty years, Progent has offered professional Information Technology services for companies in Colorado Springs and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience provides Progent the capability to knowledgably understand critical systems and integrate the surviving parts of your network system following a crypto-ransomware penetration and configure them into an operational network.
Progent's recovery team of experts uses top notch project management applications to orchestrate the complicated recovery process. Progent understands the importance of acting swiftly and in concert with a client's management and Information Technology staff to prioritize tasks and to put key applications back online as soon as humanly possible.
Client Case Study: A Successful Ransomware Incident Restoration
A business hired Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, suspected of using algorithms leaked from America's National Security Agency. Ryuk targets specific businesses with limited tolerance for operational disruption and is one of the most profitable incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago with about 500 workers. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the attack and were encrypted. The client was evaluating paying the ransom (more than $200K) and praying for the best, but in the end utilized Progent.
"I cannot say enough about the expertise Progent provided us during the most fearful period of (our) businesses survival. We had little choice but to pay the Hackers if it wasn't for the confidence the Progent group afforded us. That you were able to get our e-mail and production applications back into operation in less than 1 week was beyond my wildest dreams. Every single consultant I talked with or e-mailed at Progent was absolutely committed on getting us operational and was working all day and night to bail us out."
Progent worked hand in hand the client to rapidly understand and assign priority to the key areas that had to be recovered to make it possible to continue departmental operations:
To get going, Progent adhered to AV/Malware Processes incident mitigation industry best practices by isolating and cleaning up infected systems. Progent then initiated the task of restoring Microsoft Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' financials and MRP applications utilized Microsoft SQL Server, which requires Windows AD for authentication to the database.
- Windows Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then helped perform reinstallations and hard drive recovery on critical servers. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Data Files) on various desktop computers and laptops to recover email messages. A not too old off-line backup of the customer's accounting systems made them able to recover these required services back online. Although a lot of work was left to recover completely from the Ryuk damage, core systems were recovered rapidly:
"For the most part, the assembly line operation was never shut down and we delivered all customer deliverables."
During the following few weeks key milestones in the recovery project were achieved through close collaboration between Progent team members and the customer:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Server containing more than 4 million historical emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were 100% recovered.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the user workstations were functioning as before the incident.
"Much of what transpired that first week is nearly entirely a haze for me, but we will not forget the commitment all of your team put in to give us our business back. I've entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."
A probable business-ending disaster was dodged with hard-working experts, a broad array of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus attack detailed here could have been stopped with advanced security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for allowing me to get some sleep after we got over the initial push. Everyone did an amazing job, and if any of your team is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Colorado Springs a range of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation machine learning technology to uncover new strains of ransomware that can evade traditional signature-based anti-virus products.
For Colorado Springs 24/7/365 Crypto Repair Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including blocking, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and enable non-disruptive backup and rapid recovery of vital files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or software bugs. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security companies to deliver centralized control and comprehensive protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of analysis for inbound email. For outgoing email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their connectivity appliances such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating time-consuming network management activities, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that require important updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your Progent consultant so that all looming issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can eliminate up to half of time spent looking for vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based machine learning technology to guard endpoint devices and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which easily evade legacy signature-based AV products. Progent ASM services protect local and cloud resources and provides a unified platform to address the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Service Center: Help Desk Managed Services
Progent's Help Center managed services permit your IT staff to offload Support Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support team and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a smooth supplement to your core network support organization. Client interaction with the Service Desk, provision of support, escalation, ticket generation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether incidents are taken care of by your in-house support group, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Service Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide organizations of any size a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. In addition to optimizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your in-house IT team to focus on line-of-business initiatives and activities that derive the highest business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a secured application and enter your password you are asked to verify your identity on a device that only you possess and that uses a different network channel. A broad range of out-of-band devices can be utilized as this second form of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate several verification devices. For more information about Duo identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of real-time and in-depth management reporting tools designed to integrate with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.