Crypto-Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyberplague that poses an existential threat for organizations poorly prepared for an attack. Versions of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still inflict destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with additional as yet unnamed viruses, not only encrypt on-line files but also infect any configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, this can render any restore operations useless and effectively sets the datacenter back to square one.
Getting back services and information after a crypto-ransomware attack becomes a race against the clock as the victim tries its best to stop lateral movement and clear the ransomware and to restore business-critical operations. Since ransomware needs time to replicate, attacks are usually launched during nights and weekends, when successful penetrations in many cases take more time to identify. This compounds the difficulty of rapidly mobilizing and organizing a qualified mitigation team.
Progent has a range of help services for securing organizations from ransomware events. Among these are team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with AI capabilities from SentinelOne to identify and suppress new cyber threats rapidly. Progent in addition provides the services of seasoned crypto-ransomware recovery consultants with the talent and commitment to restore a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decipher any of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to setup from scratch the essential elements of your Information Technology environment. Absent the availability of full information backups, this calls for a wide complement of skills, professional team management, and the capability to work 24x7 until the recovery project is finished.
For two decades, Progent has made available professional Information Technology services for companies in Salinas and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly understand necessary systems and integrate the remaining components of your Information Technology environment after a crypto-ransomware event and configure them into a functioning system.
Progent's ransomware team utilizes top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of working rapidly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to get critical systems back on line as soon as possible.
Customer Story: A Successful Ransomware Incident Response
A business contacted Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, suspected of using strategies exposed from America's National Security Agency. Ryuk goes after specific businesses with limited room for operational disruption and is among the most profitable versions of ransomware malware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk event had frozen all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end utilized Progent.
"I can't thank you enough about the expertise Progent gave us throughout the most stressful period of (our) company's existence. We may have had to pay the hackers behind this attack if not for the confidence the Progent experts afforded us. That you could get our e-mail system and key applications back quicker than five days was amazing. Each person I interacted with or e-mailed at Progent was totally committed on getting us restored and was working non-stop to bail us out."
Progent worked hand in hand the customer to quickly assess and prioritize the key applications that had to be recovered to make it possible to continue departmental functions:
- Active Directory (AD)
- Email
- Financials/MRP
To start, Progent adhered to AV/Malware Processes penetration response industry best practices by halting lateral movement and removing active viruses. Progent then started the process of rebuilding Microsoft AD, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the customer's MRP applications used SQL Server, which needs Active Directory for access to the information.
In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then assisted with rebuilding and storage recovery of the most important servers. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Offline Folder Files) on various workstations and laptops in order to recover mail messages. A recent off-line backup of the customer's accounting systems made them able to return these essential applications back servicing users. Although a lot of work was left to recover fully from the Ryuk event, critical services were returned to operations rapidly:
"For the most part, the manufacturing operation survived unscathed and we made all customer sales."
Throughout the following couple of weeks critical milestones in the recovery project were achieved through close collaboration between Progent engineers and the client:
- In-house web applications were returned to operation without losing any information.
- The MailStore Exchange Server containing more than 4 million historical messages was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100% functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- 90% of the user desktops were fully operational.
"A huge amount of what occurred during the initial response is mostly a haze for me, but our team will not soon forget the countless hours each of the team accomplished to help get our company back. I have been working with Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This situation was a testament to your capabilities."
Conclusion
A possible business-ending disaster was averted with dedicated professionals, a broad spectrum of technical expertise, and tight collaboration. Although in post mortem the ransomware incident detailed here could have been identified and disabled with modern cyber security systems and recognized best practices, team education, and well thought out incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get some sleep after we made it past the first week. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Salinas a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services include modern artificial intelligence technology to detect zero-day strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight ASM protects local and cloud resources and provides a unified platform to address the complete malware attack lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's unique requirements and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and enable transparent backup and rapid restoration of critical files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned employees, or software glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized management and world-class security for your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and debug their networking appliances like routers, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that need important software patches, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT staff and your assigned Progent consultant so all looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based analysis technology to defend endpoint devices and physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-based anti-virus products. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to manage the entire malware attack lifecycle including filtering, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Help Desk: Call Center Managed Services
Progent's Help Desk managed services permit your information technology staff to offload Call Center services to Progent or divide activity for support services transparently between your internal support resources and Progent's extensive roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth supplement to your corporate support organization. Client interaction with the Help Desk, delivery of support services, problem escalation, ticket generation and updates, performance metrics, and maintenance of the support database are consistent regardless of whether incidents are resolved by your internal network support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of all sizes a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving information system. In addition to optimizing the protection and reliability of your computer environment, Progent's patch management services permit your IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Read more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a protected online account and enter your password you are requested to confirm who you are via a device that only you possess and that uses a different network channel. A wide range of out-of-band devices can be utilized as this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can register several validation devices. To find out more about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time reporting plug-ins created to work with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Salinas 24x7 CryptoLocker Recovery Help, call Progent at 800-462-8800 or go to Contact Progent.