Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Different versions of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with daily unnamed newcomers, not only encrypt on-line data but also infiltrate many accessible system restores and backups. Files synched to the cloud can also be encrypted. In a vulnerable data protection solution, it can make any restoration impossible and basically sets the datacenter back to square one.
Getting back on-line services and information following a ransomware outage becomes a sprint against time as the targeted business struggles to contain the damage and cleanup the ransomware and to resume mission-critical operations. Because ransomware needs time to move laterally, penetrations are frequently launched on weekends, when successful attacks typically take longer to detect. This multiplies the difficulty of promptly marshalling and orchestrating an experienced mitigation team.
Progent provides an assortment of solutions for securing businesses from ransomware events. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with machine learning capabilities from SentinelOne to identify and suppress zero-day cyber attacks automatically. Progent in addition provides the assistance of seasoned ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as soon as possible.
Progent's Ransomware Restoration Help
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the codes to decipher any or all of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the key parts of your IT environment. Absent the availability of full information backups, this requires a wide complement of skill sets, professional team management, and the capability to work continuously until the task is over.
For twenty years, Progent has made available professional IT services for companies in Montgomery and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to quickly understand necessary systems and organize the remaining components of your computer network system after a crypto-ransomware penetration and rebuild them into an operational network.
Progent's recovery team deploys top notch project management systems to coordinate the sophisticated restoration process. Progent knows the importance of working quickly and together with a customer's management and IT staff to assign priority to tasks and to put essential applications back on line as fast as possible.
Client Story: A Successful Crypto-Ransomware Penetration Restoration
A business escalated to Progent after their company was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, suspected of using techniques leaked from the United States NSA organization. Ryuk goes after specific organizations with little or no ability to sustain operational disruption and is one of the most lucrative iterations of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago and has around 500 employees. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately engaged Progent.
"I cannot tell you enough in regards to the care Progent gave us during the most stressful period of (our) company's survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent group provided us. The fact that you could get our e-mail and key applications back online faster than a week was something I thought impossible. Every single staff member I spoke to or texted at Progent was totally committed on getting us operational and was working non-stop on our behalf."
Progent worked with the customer to rapidly identify and assign priority to the key elements that needed to be addressed to make it possible to resume departmental operations:
- Microsoft Active Directory
- Electronic Mail
- Accounting/MRP
To start, Progent followed ransomware event mitigation industry best practices by halting the spread and removing active viruses. Progent then started the process of bringing back online Windows Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the customer's MRP applications utilized SQL Server, which depends on Windows AD for security authorization to the information.
In less than 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery on the most important applications. All Exchange ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Email Off-Line Data Files) on team workstations to recover email information. A recent offline backup of the customer's accounting software made it possible to restore these required services back online. Although major work still had to be done to recover fully from the Ryuk virus, critical services were restored rapidly:
"For the most part, the production line operation did not miss a beat and we made all customer deliverables."
Throughout the next few weeks key milestones in the restoration project were achieved through close cooperation between Progent engineers and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Server with over 4 million archived emails was brought online and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory capabilities were 100 percent functional.
- A new Palo Alto 850 firewall was installed.
- Ninety percent of the user workstations were fully operational.
"So much of what transpired those first few days is nearly entirely a fog for me, but my management will not forget the commitment each and every one of your team accomplished to help get our business back. I have been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
Conclusion
A probable business-killing disaster was dodged due to hard-working professionals, a broad array of knowledge, and close collaboration. Although in hindsight the ransomware incident detailed here would have been identified and disabled with advanced cyber security technology solutions and recognized best practices, team training, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I'm grateful for letting me get some sleep after we made it through the most critical parts. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Montgomery a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation AI technology to detect new strains of crypto-ransomware that are able to get past legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to manage the complete threat progression including protection, detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you prove compliance with legal and industry data protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also help you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your backup operations and allow non-disruptive backup and rapid recovery of critical files, apps, images, plus virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, user error, ill-intentioned employees, or software bugs. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide centralized management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management activities, WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding devices that need critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your network running efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT management staff and your Progent engineering consultant so that any potential problems can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard endpoint devices and servers and VMs against modern malware attacks like ransomware and file-less exploits, which easily evade legacy signature-based AV products. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Help Desk: Call Center Managed Services
Progent's Call Desk managed services allow your IT team to offload Call Center services to Progent or divide activity for Service Desk support transparently between your in-house network support resources and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent extension of your internal IT support group. End user access to the Help Desk, delivery of support services, problem escalation, trouble ticket creation and updates, performance metrics, and maintenance of the support database are cohesive whether incidents are resolved by your corporate support resources, by Progent's team, or both. Learn more about Progent's outsourced/shared Help Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of any size a flexible and affordable alternative for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information system. In addition to optimizing the security and reliability of your IT network, Progent's patch management services allow your IT staff to concentrate on line-of-business initiatives and activities that deliver maximum business value from your network. Read more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and enter your password you are requested to confirm who you are via a device that only you possess and that is accessed using a separate network channel. A broad selection of devices can be used as this second means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple verification devices. For more information about Duo identity validation services, refer to Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time management reporting plug-ins created to integrate with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Montgomery Crypto Recovery Help, call Progent at 800-462-8800 or go to Contact Progent.