Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses vulnerable to an assault. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as more unnamed malware, not only do encryption of on-line critical data but also infect all available system backup. Files replicated to the cloud can also be rendered useless. In a poorly architected system, it can render automatic restore operations impossible and effectively knocks the entire system back to zero.
Getting back on-line services and information after a ransomware outage becomes a sprint against the clock as the targeted business struggles to stop lateral movement and eradicate the virus and to restore enterprise-critical operations. Since ransomware takes time to move laterally, attacks are usually sprung during nights and weekends, when successful penetrations may take more time to identify. This compounds the difficulty of promptly marshalling and coordinating an experienced mitigation team.
Progent offers an assortment of support services for protecting businesses from crypto-ransomware penetrations. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with artificial intelligence technology from SentinelOne to discover and quarantine zero-day cyber threats rapidly. Progent also provides the assistance of experienced ransomware recovery consultants with the track record and perseverance to reconstruct a breached environment as rapidly as possible.
Progent's Ransomware Recovery Help
After a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to decrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the vital parts of your IT environment. Without the availability of complete system backups, this calls for a broad complement of IT skills, professional team management, and the capability to work non-stop until the task is complete.
For decades, Progent has provided expert Information Technology services for companies in Jersey City and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise affords Progent the capability to quickly determine critical systems and re-organize the remaining components of your Information Technology system after a crypto-ransomware attack and rebuild them into an operational system.
Progent's recovery group deploys state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent knows the importance of working swiftly and together with a customer's management and IT team members to assign priority to tasks and to get key applications back online as soon as humanly possible.
Customer Case Study: A Successful Ransomware Incident Response
A business engaged Progent after their company was taken over by the Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, possibly using techniques leaked from the United States NSA organization. Ryuk goes after specific organizations with limited ability to sustain operational disruption and is one of the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has about 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end called Progent.
"I cannot say enough about the care Progent gave us throughout the most stressful time of (our) businesses existence. We most likely would have paid the cyber criminals if not for the confidence the Progent group gave us. That you could get our messaging and critical applications back online quicker than five days was incredible. Each expert I got help from or messaged at Progent was hell bent on getting my company operational and was working all day and night on our behalf."
Progent worked hand in hand the client to rapidly get our arms around and assign priority to the critical areas that had to be restored in order to resume business operations:
To begin, Progent adhered to AV/Malware Processes event response best practices by halting the spread and disinfecting systems. Progent then began the task of recovering Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the customer's accounting and MRP applications used Microsoft SQL Server, which needs Windows AD for authentication to the data.
- Active Directory (AD)
- Microsoft Exchange
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then accomplished rebuilding and hard drive recovery on needed servers. All Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on user desktop computers and laptops to recover mail information. A recent offline backup of the customer's accounting/MRP software made it possible to return these essential services back available to users. Although a lot of work still had to be done to recover totally from the Ryuk damage, core systems were returned to operations rapidly:
"For the most part, the production operation did not miss a beat and we did not miss any customer deliverables."
During the next few weeks important milestones in the restoration project were completed through close cooperation between Progent team members and the customer:
- Internal web sites were brought back up without losing any data.
- The MailStore Exchange Server containing more than 4 million historical messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were completely operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the user PCs were fully operational.
"Much of what transpired during the initial response is nearly entirely a fog for me, but we will not soon forget the commitment all of the team put in to help get our company back. I've utilized Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."
A possible enterprise-killing disaster was avoided with hard-working professionals, a wide spectrum of IT skills, and close collaboration. Although in retrospect the ransomware virus attack detailed here should have been identified and prevented with advanced security technology solutions and best practices, user education, and properly executed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we made it over the most critical parts. All of you did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Jersey City a portfolio of online monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services include modern AI technology to uncover zero-day strains of crypto-ransomware that can get past legacy signature-based anti-virus products.
For Jersey City 24/7 Crypto-Ransomware Recovery Consulting, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to address the complete malware attack lifecycle including protection, infiltration detection, containment, remediation, and forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering through cutting-edge tools incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent's consultants can also assist your company to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with leading backup technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and enable non-disruptive backup and fast restoration of critical files, applications, images, and VMs. ProSight DPS helps you avoid data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to deliver centralized control and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious network management activities, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating devices that need critical updates, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by checking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so that any looming issues can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard endpoint devices as well as servers and VMs against new malware attacks like ransomware and email phishing, which easily get by traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to address the complete threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Desk: Call Center Managed Services
Progent's Call Center services permit your IT staff to offload Help Desk services to Progent or divide activity for Help Desk services seamlessly between your internal network support staff and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your in-house support team. Client interaction with the Service Desk, provision of technical assistance, escalation, trouble ticket creation and updates, performance metrics, and maintenance of the service database are consistent regardless of whether incidents are resolved by your corporate network support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer businesses of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to maximizing the security and reliability of your computer environment, Progent's software/firmware update management services permit your in-house IT team to concentrate on line-of-business projects and tasks that derive the highest business value from your network. Read more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication services incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to confirm your identity via a device that only you possess and that is accessed using a different network channel. A broad selection of devices can be used for this added means of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate several validation devices. To learn more about ProSight Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time and in-depth management reporting tools designed to integrate with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.