Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses poorly prepared for an assault. Different iterations of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus additional as yet unnamed newcomers, not only encrypt on-line data but also infiltrate any configured system backups. Data replicated to the cloud can also be ransomed. In a poorly designed system, this can render any restore operations hopeless and basically knocks the datacenter back to square one.
Getting back on-line programs and information following a crypto-ransomware intrusion becomes a sprint against the clock as the victim fights to stop lateral movement and remove the ransomware and to resume enterprise-critical activity. Because ransomware needs time to spread, attacks are frequently launched on weekends, when penetrations in many cases take more time to detect. This compounds the difficulty of rapidly mobilizing and orchestrating a knowledgeable response team.
Progent has a variety of solutions for securing enterprises from crypto-ransomware penetrations. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with AI capabilities from SentinelOne to detect and quarantine zero-day threats quickly. Progent also offers the assistance of expert ransomware recovery consultants with the talent and commitment to re-deploy a breached environment as urgently as possible.
Progent's Ransomware Recovery Help
Soon after a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to unencrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the essential components of your Information Technology environment. Absent access to complete data backups, this calls for a broad complement of skills, top notch team management, and the capability to work non-stop until the recovery project is complete.
For two decades, Progent has made available professional IT services for companies in Montgomery and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience provides Progent the capability to rapidly understand necessary systems and integrate the remaining parts of your network environment after a ransomware event and configure them into an operational system.
Progent's security group deploys top notch project management systems to coordinate the complex recovery process. Progent understands the urgency of acting swiftly and together with a customer's management and IT team members to assign priority to tasks and to get the most important applications back on-line as soon as possible.
Customer Story: A Successful Crypto-Ransomware Virus Restoration
A business contacted Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored criminal gangs, possibly adopting algorithms leaked from the United States National Security Agency. Ryuk attacks specific companies with little or no room for disruption and is one of the most profitable incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk attack had brought down all business operations and manufacturing capabilities. Most of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end reached out to Progent.
"I can't tell you enough in regards to the help Progent provided us during the most critical time of (our) businesses existence. We may have had to pay the Hackers if it wasn't for the confidence the Progent experts gave us. That you could get our e-mail system and important servers back in less than seven days was incredible. Each expert I spoke to or messaged at Progent was urgently focused on getting our system up and was working day and night on our behalf."
Progent worked together with the client to quickly assess and assign priority to the essential elements that needed to be addressed to make it possible to resume departmental operations:
- Microsoft Active Directory
- Microsoft Exchange Server
- Accounting/MRP
To start, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the work of rebuilding Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the customer's accounting and MRP system used SQL Server, which requires Windows AD for access to the information.
Within 2 days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery on critical applications. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate local OST files (Microsoft Outlook Offline Folder Files) on user desktop computers to recover email messages. A recent off-line backup of the client's accounting/MRP software made it possible to restore these vital programs back available to users. Although significant work remained to recover fully from the Ryuk virus, critical systems were returned to operations quickly:
"For the most part, the production operation never missed a beat and we produced all customer orders."
Throughout the next couple of weeks critical milestones in the restoration process were completed through tight cooperation between Progent team members and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Exchange Server exceeding 4 million historical messages was spun up and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory functions were fully recovered.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the desktops and laptops were fully operational.
"Much of what happened those first few days is mostly a blur for me, but we will not forget the dedication each and every one of the team accomplished to give us our company back. I've trusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This event was the most impressive ever."
Conclusion
A potential business-killing catastrophe was avoided by top-tier experts, a wide range of knowledge, and close teamwork. Although in retrospect the ransomware incident described here should have been shut down with up-to-date cyber security technology solutions and recognized best practices, team education, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thank you for letting me get rested after we got past the most critical parts. All of you did an amazing effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Montgomery a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to uncover new strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the entire malware attack progression including filtering, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies packaged within one agent managed from a unified control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with advanced backup technology providers to create ProSight Data Protection Services (DPS), a family of management offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your backup operations and enable non-disruptive backup and fast restoration of vital files/folders, apps, system images, and virtual machines. ProSight DPS lets your business recover from data loss caused by hardware breakdown, natural calamities, fire, malware such as ransomware, human error, malicious employees, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver web-based management and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, track, enhance and debug their connectivity hardware like switches, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating complex network management processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating appliances that require important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system running efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT personnel and your Progent engineering consultant so all potential issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior analysis technology to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. Progent Active Security Monitoring services protect local and cloud resources and offers a single platform to automate the entire malware attack lifecycle including filtering, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Center: Support Desk Managed Services
Progent's Support Desk managed services allow your information technology team to outsource Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your in-house support group and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless extension of your in-house support team. End user access to the Help Desk, provision of support, problem escalation, ticket generation and tracking, performance measurement, and management of the support database are consistent whether issues are taken care of by your core network support organization, by Progent, or both. Find out more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a flexible and affordable solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the security and functionality of your computer environment, Progent's patch management services free up time for your IT team to concentrate on more strategic initiatives and tasks that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a protected application and enter your password you are asked to verify who you are via a device that only you have and that is accessed using a separate network channel. A broad selection of devices can be used for this second form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may register several verification devices. For details about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time reporting plug-ins designed to integrate with the top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Montgomery Ransomware Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.