Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for organizations unprepared for an assault. Different iterations of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and still cause destruction. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus daily as yet unnamed malware, not only encrypt on-line data files but also infect many configured system protection mechanisms. Information synched to the cloud can also be corrupted. In a poorly designed data protection solution, it can make automatic restoration useless and effectively knocks the datacenter back to zero.
Getting back on-line services and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted organization fights to stop the spread, clear the ransomware, and restore mission-critical activity. Since crypto-ransomware takes time to spread, assaults are often launched during weekends and nights, when penetrations tend to take more time to notice. This multiplies the difficulty of promptly mobilizing and coordinating a capable response team.
Progent offers a variety of help services for protecting enterprises from crypto-ransomware events. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with machine learning technology from SentinelOne to discover and suppress new cyber threats automatically. Progent also offers the assistance of expert ransomware recovery consultants with the skills and perseverance to reconstruct a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
Following a ransomware attack, paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the needed keys to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom demand can reach millions. The alternative is to setup from scratch the key elements of your IT environment. Without the availability of essential system backups, this requires a broad complement of IT skills, well-coordinated team management, and the capability to work non-stop until the job is complete.
For decades, Progent has provided certified expert Information Technology services for companies throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to rapidly identify necessary systems and organize the remaining pieces of your computer network environment following a ransomware attack and assemble them into a functioning network.
Progent's security team uses state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of acting rapidly and together with a client's management and Information Technology team members to prioritize tasks and to get the most important applications back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Incident Recovery
A small business engaged Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored hackers, suspected of using techniques exposed from America's NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is among the most profitable iterations of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had disabled all company operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and praying for the best, but ultimately engaged Progent.
"I can't tell you enough in regards to the care Progent gave us throughout the most stressful period of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group gave us. That you could get our e-mail system and important servers back online faster than five days was incredible. Each expert I got help from or e-mailed at Progent was laser focused on getting us restored and was working at all hours on our behalf."
Progent worked together with the customer to rapidly determine and prioritize the most important applications that had to be restored in order to resume departmental functions:
- Windows Active Directory
- Email
- Accounting/MRP
To get going, Progent adhered to Anti-virus incident response industry best practices by isolating and performing virus removal steps. Progent then started the steps of rebuilding Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's financials and MRP system utilized Microsoft SQL, which requires Active Directory for authentication to the data.
Within two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then initiated rebuilding and storage recovery of needed servers. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Offline Data Files) on user desktop computers and laptops in order to recover mail data. A recent off-line backup of the customer's accounting/MRP systems made them able to restore these vital programs back on-line. Although significant work was left to recover totally from the Ryuk damage, core systems were recovered rapidly:
"For the most part, the production line operation was never shut down and we produced all customer deliverables."
Throughout the next few weeks critical milestones in the restoration project were made in tight cooperation between Progent team members and the client:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Exchange Server exceeding four million historical messages was spun up and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100% recovered.
- A new Palo Alto 850 firewall was brought online.
- Most of the user workstations were functioning as before the incident.
"A lot of what transpired those first few days is mostly a blur for me, but my team will not soon forget the urgency each of you accomplished to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was the most impressive ever."
Conclusion
A probable business disaster was averted with results-oriented experts, a wide range of subject matter expertise, and tight collaboration. Although in retrospect the crypto-ransomware virus attack detailed here should have been identified and stopped with up-to-date security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), I'm grateful for letting me get some sleep after we made it through the initial push. Everyone did an incredible effort, and if any of your team is visiting the Chicago area, dinner is my treat!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Salt Lake City a variety of remote monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services include modern machine learning technology to detect zero-day variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so all looming issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-driven platform for managing your network, server, and desktop devices by offering an environment for streamlining common tedious jobs. These can include health monitoring, update management, automated repairs, endpoint setup, backup and recovery, A/V response, remote access, built-in and custom scripts, resource inventory, endpoint status reporting, and debugging assistance. When ProSight LAN Watch with NinjaOne RMM identifies a serious problem, it transmits an alarm to your designated IT personnel and your Progent technical consultant so emerging issues can be fixed before they impact your network. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating devices that need important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth management reporting tools designed to work with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your backup operations and enable non-disruptive backup and fast restoration of important files/folders, applications, system images, and VMs. ProSight DPS lets your business recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or software glitches. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide centralized control and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of analysis for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a secured online account and give your password you are asked to confirm who you are on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used as this second form of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. For details about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication services for access security.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Support Desk services permit your information technology group to offload Call Center services to Progent or divide responsibilities for support services seamlessly between your in-house network support resources and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent extension of your corporate IT support staff. Client access to the Service Desk, provision of technical assistance, escalation, ticket creation and tracking, efficiency metrics, and maintenance of the support database are cohesive whether incidents are taken care of by your in-house network support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Desk services.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis technology to defend endpoint devices as well as servers and VMs against modern malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to address the entire malware attack lifecycle including protection, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of any size a versatile and affordable solution for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving information network. Besides optimizing the security and functionality of your computer network, Progent's patch management services allow your IT staff to concentrate on line-of-business projects and activities that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management support services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the entire malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
For 24-Hour Salt Lake City Crypto Cleanup Experts, contact Progent at 800-462-8800 or go to Contact Progent.