Ransomware : Your Feared IT Disaster
Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations poorly prepared for an attack. Different versions of crypto-ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for many years and still inflict destruction. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with more unnamed newcomers, not only encrypt on-line information but also infect most accessible system backups. Files replicated to the cloud can also be encrypted. In a vulnerable system, this can render any recovery hopeless and basically knocks the datacenter back to square one.
Getting back programs and data after a ransomware attack becomes a race against time as the targeted organization tries its best to stop lateral movement and clear the virus and to resume enterprise-critical operations. Since ransomware needs time to replicate, assaults are often sprung at night, when penetrations may take longer to discover. This multiplies the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent offers an assortment of help services for protecting organizations from ransomware events. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with artificial intelligence technology from SentinelOne to discover and quarantine zero-day cyber threats automatically. Progent also offers the assistance of veteran crypto-ransomware recovery consultants with the skills and perseverance to rebuild a breached environment as soon as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the mission-critical elements of your Information Technology environment. Without access to full system backups, this requires a wide complement of skills, professional project management, and the capability to work 24x7 until the task is done.
For twenty years, Progent has provided expert IT services for companies in Jersey City and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise provides Progent the ability to rapidly ascertain critical systems and consolidate the surviving parts of your network system after a ransomware attack and assemble them into a functioning network.
Progent's security team deploys powerful project management applications to coordinate the sophisticated restoration process. Progent understands the importance of acting swiftly and in concert with a client's management and Information Technology staff to prioritize tasks and to get critical systems back online as fast as humanly possible.
Business Case Study: A Successful Ransomware Penetration Restoration
A small business sought out Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, suspected of using strategies leaked from America's National Security Agency. Ryuk seeks specific companies with little room for disruption and is one of the most profitable incarnations of ransomware viruses. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has about 500 staff members. The Ryuk event had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but in the end reached out to Progent.
"I can't thank you enough in regards to the care Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the hackers behind this attack except for the confidence the Progent group provided us. That you could get our e-mail and essential servers back in less than seven days was something I thought impossible. Every single expert I talked with or messaged at Progent was hell bent on getting us operational and was working 24 by 7 to bail us out."
Progent worked hand in hand the client to quickly determine and assign priority to the essential elements that had to be recovered in order to restart departmental operations:
To start, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then started the process of bringing back online Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Windows AD, and the businesses' financials and MRP applications used Microsoft SQL Server, which needs Active Directory services for access to the information.
- Windows Active Directory
In less than two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then accomplished rebuilding and hard drive recovery of key systems. All Microsoft Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Off-Line Data Files) on user workstations to recover mail data. A recent offline backup of the customer's financials/ERP software made it possible to restore these essential services back on-line. Although a lot of work still had to be done to recover completely from the Ryuk attack, critical systems were restored rapidly:
"For the most part, the production line operation showed little impact and we produced all customer deliverables."
Throughout the following couple of weeks critical milestones in the recovery project were completed in tight collaboration between Progent engineers and the customer:
- Internal web applications were restored with no loss of information.
- The MailStore Exchange Server exceeding 4 million historical messages was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100 percent restored.
- A new Palo Alto 850 firewall was installed.
- 90% of the user desktops and notebooks were being used by staff.
"A huge amount of what occurred those first few days is mostly a fog for me, but we will not forget the commitment each and every one of you put in to help get our business back. I've utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was a testament to your capabilities."
A potential business-killing disaster was dodged with dedicated professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware incident described here should have been blocked with up-to-date security systems and best practices, user and IT administrator education, and well designed security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has substantial experience in ransomware virus defense, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thank you for allowing me to get some sleep after we made it over the initial fire. Everyone did an amazing effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Jersey City a range of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services include modern artificial intelligence technology to detect new variants of crypto-ransomware that can evade traditional signature-based anti-virus products.
For Jersey City 24-Hour Ransomware Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via leading-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products automate and track your backup processes and allow transparent backup and rapid recovery of important files/folders, apps, images, plus VMs. ProSight DPS helps you recover from data loss caused by equipment failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or application glitches. Managed services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to provide web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that stays within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, track, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of almost all devices on your network, monitors performance, and generates notices when problems are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding devices that require important software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management personnel and your Progent consultant so any potential issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to defend endpoints and physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. Progent ASM services protect local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
Progent's Help Center services enable your IT group to outsource Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal support resources and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth extension of your internal network support staff. User access to the Service Desk, provision of technical assistance, issue escalation, ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive whether incidents are resolved by your internal IT support organization, by Progent's team, or both. Learn more about Progent's outsourced/shared Help Desk services.
- Patch Management: Patch Management Services
Progent's support services for patch management provide businesses of all sizes a flexible and cost-effective solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information system. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your IT team to concentrate on more strategic projects and activities that derive the highest business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against password theft by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Android, and other personal devices. With 2FA, whenever you sign into a secured online account and give your password you are asked to verify who you are on a device that only you have and that is accessed using a different network channel. A wide range of out-of-band devices can be used for this added means of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You can register multiple verification devices. For more information about Duo identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of in-depth management reporting utilities created to integrate with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.