Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyber pandemic that represents an existential threat for organizations unprepared for an assault. Different iterations of ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict damage. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with additional unnamed newcomers, not only encrypt online critical data but also infiltrate many accessible system backup. Files synched to cloud environments can also be ransomed. In a poorly architected data protection solution, it can make automated restoration impossible and basically sets the datacenter back to zero.
Recovering applications and information following a crypto-ransomware intrusion becomes a race against time as the targeted organization struggles to stop the spread and remove the crypto-ransomware and to resume business-critical operations. Because crypto-ransomware requires time to spread, assaults are frequently sprung on weekends and holidays, when attacks typically take more time to identify. This multiplies the difficulty of promptly assembling and organizing a capable response team.
Progent makes available a variety of solutions for securing organizations from ransomware penetrations. Among these are team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to detect and disable day-zero cyber threats rapidly. Progent in addition offers the assistance of experienced ransomware recovery consultants with the talent and commitment to restore a compromised network as urgently as possible.
Progent's Ransomware Restoration Help
Soon after a crypto-ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber criminals will return the keys to decrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the mission-critical components of your IT environment. Without the availability of complete system backups, this calls for a wide complement of skills, top notch project management, and the ability to work 24x7 until the job is complete.
For twenty years, Progent has offered certified expert IT services for companies in Montgomery and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience affords Progent the ability to rapidly determine necessary systems and organize the surviving parts of your Information Technology environment after a crypto-ransomware event and assemble them into an operational network.
Progent's recovery team of experts utilizes top notch project management applications to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working quickly and in unison with a customer's management and Information Technology staff to prioritize tasks and to get critical services back on-line as fast as humanly possible.
Client Case Study: A Successful Ransomware Incident Response
A business contacted Progent after their organization was crashed by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state hackers, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk goes after specific companies with little room for disruption and is one of the most lucrative instances of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area with about 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the start of the intrusion and were damaged. The client considered paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I can't thank you enough in regards to the care Progent provided us throughout the most stressful time of (our) company's existence. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group afforded us. The fact that you could get our messaging and key applications back online sooner than a week was something I thought impossible. Each expert I interacted with or communicated with at Progent was urgently focused on getting us back online and was working breakneck pace to bail us out."
Progent worked together with the client to quickly assess and prioritize the key elements that had to be restored to make it possible to continue business functions:
To start, Progent followed Anti-virus penetration response best practices by stopping lateral movement and disinfecting systems. Progent then started the steps of rebuilding Microsoft AD, the core of enterprise environments built upon Microsoft technology. Exchange messaging will not function without Active Directory, and the businesses' accounting and MRP software leveraged Microsoft SQL Server, which needs Active Directory services for access to the data.
- Windows Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
Within two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then performed setup and storage recovery on needed servers. All Exchange ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops in order to recover mail messages. A not too old offline backup of the customer's financials/MRP software made it possible to recover these essential applications back available to users. Although significant work remained to recover totally from the Ryuk event, the most important services were recovered quickly:
"For the most part, the production operation never missed a beat and we produced all customer sales."
Throughout the next few weeks important milestones in the recovery process were made through close cooperation between Progent team members and the client:
- Self-hosted web applications were restored without losing any data.
- The MailStore Exchange Server with over four million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory functions were 100 percent restored.
- A new Palo Alto 850 firewall was set up and programmed.
- Most of the user workstations were functioning as before the incident.
"So much of what was accomplished during the initial response is nearly entirely a blur for me, but my team will not soon forget the commitment all of the team accomplished to help get our company back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This event was a Herculean accomplishment."
A probable business extinction catastrophe was avoided due to top-tier experts, a broad range of IT skills, and close collaboration. Although in post mortem the ransomware penetration described here could have been disabled with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for allowing me to get rested after we made it over the initial push. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Montgomery a variety of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize modern AI capability to uncover zero-day strains of ransomware that are able to escape detection by traditional signature-based security solutions.
For 24-Hour Montgomery Crypto Removal Help, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection services offer economical in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent can also help you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with leading backup/restore technology providers to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and enable transparent backup and rapid restoration of important files/folders, applications, system images, and VMs. ProSight DPS helps you protect against data loss caused by equipment breakdown, natural disasters, fire, malware such as ransomware, user error, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver centralized management and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, monitor, reconfigure and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that need critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network running efficiently by checking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT staff and your Progent consultant so that any looming problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to a different hardware solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based machine learning tools to defend endpoint devices and servers and VMs against modern malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching AV tools. Progent ASM services protect local and cloud resources and offers a single platform to manage the complete threat progression including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Service Desk: Call Center Managed Services
Progent's Support Center services allow your IT staff to offload Call Center services to Progent or divide activity for support services seamlessly between your internal network support group and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your corporate IT support resources. End user access to the Service Desk, provision of support services, issue escalation, ticket creation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are resolved by your internal support staff, by Progent's team, or by a combination. Find out more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide organizations of any size a versatile and affordable solution for evaluating, validating, scheduling, implementing, and tracking updates to your dynamic IT network. Besides optimizing the security and functionality of your IT environment, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your information network. Read more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification with iOS, Android, and other out-of-band devices. With 2FA, when you sign into a protected online account and enter your password you are requested to confirm who you are on a device that only you possess and that uses a separate network channel. A wide range of out-of-band devices can be utilized as this second form of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You may designate several validation devices. To learn more about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time and in-depth reporting plug-ins designed to integrate with the top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues like inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.