Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level danger for businesses of all sizes unprepared for an assault. Versions of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with additional as yet unnamed newcomers, not only do encryption of on-line data but also infiltrate any available system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can make any restore operations impossible and basically knocks the network back to zero.
Getting back online programs and data following a ransomware attack becomes a race against time as the targeted business struggles to contain, cleanup the ransomware, and restore business-critical operations. Due to the fact that ransomware requires time to spread, assaults are usually sprung during weekends and nights, when successful penetrations tend to take more time to uncover. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable mitigation team.
Progent makes available a range of solutions for securing businesses from crypto-ransomware events. These include staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with AI technology from SentinelOne to discover and suppress zero-day threats automatically. Progent also can provide the services of experienced ransomware recovery professionals with the talent and commitment to restore a compromised network as soon as possible.
Progent's Ransomware Recovery Help
Soon after a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the keys to decrypt any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions. The fallback is to re-install the key parts of your IT environment. Absent the availability of essential data backups, this calls for a broad range of skills, professional team management, and the capability to work continuously until the task is completed.
For twenty years, Progent has made available certified expert Information Technology services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience affords Progent the skills to quickly determine important systems and re-organize the surviving pieces of your computer network system after a crypto-ransomware penetration and configure them into a functioning system.
Progent's recovery team utilizes top notch project management systems to coordinate the complex recovery process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to put key systems back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Attack Recovery
A customer sought out Progent after their company was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state hackers, suspected of using algorithms leaked from the U.S. NSA organization. Ryuk targets specific organizations with limited tolerance for disruption and is among the most lucrative examples of crypto-ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has around 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing processes. The majority of the client's system backups had been online at the time of the attack and were damaged. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately called Progent.
"I can't tell you enough about the care Progent gave us throughout the most stressful period of (our) businesses existence. We would have paid the cyber criminals if it wasn't for the confidence the Progent group provided us. The fact that you could get our e-mail system and critical applications back on-line quicker than one week was something I thought impossible. Each staff member I talked with or communicated with at Progent was amazingly focused on getting us working again and was working 24/7 to bail us out."
Progent worked together with the client to quickly assess and assign priority to the critical services that needed to be recovered to make it possible to restart departmental functions:
- Windows Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and performing virus removal steps. Progent then began the steps of rebuilding Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange email will not operate without AD, and the businesses' MRP applications utilized Microsoft SQL Server, which needs Active Directory for security authorization to the data.
In less than two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then assisted with setup and hard drive recovery of needed applications. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Off-Line Data Files) on staff desktop computers in order to recover mail information. A recent off-line backup of the customer's accounting/MRP software made them able to recover these required programs back servicing users. Although significant work was left to recover fully from the Ryuk event, essential systems were returned to operations rapidly:
"For the most part, the production operation was never shut down and we did not miss any customer sales."
Throughout the next month key milestones in the restoration project were completed in close collaboration between Progent team members and the client:
- In-house web applications were restored with no loss of information.
- The MailStore Exchange Server containing more than 4 million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- 90% of the user workstations were functioning as before the incident.
"A lot of what was accomplished those first few days is mostly a fog for me, but my team will not forget the commitment each and every one of your team accomplished to help get our business back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."
Conclusion
A likely business catastrophe was averted with dedicated experts, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware attack described here would have been disabled with current cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), I'm grateful for letting me get rested after we made it through the initial push. Everyone did an incredible effort, and if any of your team is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Montgomery a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect new strains of ransomware that are able to evade traditional signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a unified platform to manage the complete malware attack progression including filtering, identification, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that meets your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services, a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup processes and allow non-disruptive backup and fast restoration of critical files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, human mistakes, malicious employees, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to provide web-based management and world-class protection for your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises gateway device provides a further layer of inspection for inbound email. For outbound email, the local security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, optimize and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding devices that require critical updates, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so any looming issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to guard endpoints and servers and VMs against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching AV products. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to manage the entire malware attack progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Desk: Call Center Managed Services
Progent's Support Desk managed services allow your information technology team to outsource Call Center services to Progent or divide activity for support services transparently between your internal network support staff and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless extension of your internal network support team. End user access to the Help Desk, provision of technical assistance, issue escalation, trouble ticket generation and tracking, performance measurement, and management of the support database are cohesive whether issues are resolved by your corporate network support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide businesses of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. In addition to optimizing the security and reliability of your computer network, Progent's patch management services permit your IT team to focus on line-of-business projects and activities that deliver the highest business value from your network. Learn more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Android, and other out-of-band devices. With Duo 2FA, when you log into a secured online account and give your password you are requested to verify who you are on a unit that only you possess and that is accessed using a different network channel. A broad selection of devices can be utilized as this second means of ID validation including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can register several verification devices. For details about ProSight Duo identity authentication services, go to Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time reporting utilities designed to integrate with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Montgomery 24/7 Crypto-Ransomware Recovery Services, call Progent at 800-462-8800 or go to Contact Progent.