Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an existential danger for organizations vulnerable to an attack. Different versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still inflict harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more as yet unnamed viruses, not only do encryption of online critical data but also infiltrate many available system backup. Information synched to cloud environments can also be ransomed. In a vulnerable data protection solution, this can make automated restoration useless and basically knocks the network back to zero.
Retrieving applications and data following a ransomware outage becomes a sprint against the clock as the victim tries its best to contain and remove the ransomware and to resume enterprise-critical operations. Because ransomware takes time to move laterally, assaults are frequently sprung on weekends and holidays, when successful attacks tend to take more time to identify. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.
Progent offers a range of support services for protecting organizations from crypto-ransomware penetrations. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with AI technology from SentinelOne to identify and suppress new cyber attacks intelligently. Progent also can provide the services of experienced ransomware recovery consultants with the skills and commitment to restore a compromised environment as urgently as possible.
Progent's Ransomware Recovery Support Services
After a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed codes to unencrypt all your files. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the key elements of your Information Technology environment. Without the availability of essential system backups, this calls for a wide complement of skills, professional team management, and the willingness to work 24x7 until the recovery project is over.
For decades, Progent has provided expert IT services for companies in Salt Lake City and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise affords Progent the capability to quickly identify critical systems and re-organize the remaining components of your Information Technology environment after a crypto-ransomware attack and configure them into an operational system.
Progent's security team of experts deploys state-of-the-art project management tools to orchestrate the complicated recovery process. Progent understands the importance of working rapidly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to get essential services back on line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Response
A business escalated to Progent after their company was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting algorithms leaked from America's National Security Agency. Ryuk targets specific organizations with limited ability to sustain disruption and is one of the most lucrative instances of ransomware viruses. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.
"I cannot tell you enough about the expertise Progent provided us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and production applications back online in less than a week was amazing. Every single expert I interacted with or texted at Progent was hell bent on getting us working again and was working 24 by 7 on our behalf."
Progent worked hand in hand the client to rapidly identify and assign priority to the most important systems that needed to be recovered to make it possible to continue business functions:
To get going, Progent adhered to ransomware event mitigation best practices by isolating and clearing up compromised systems. Progent then initiated the steps of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Exchange email will not work without AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the information.
- Active Directory (AD)
- Electronic Messaging
- Accounting and Manufacturing Software
Within 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery of needed applications. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Offline Folder Files) on staff PCs and laptops in order to recover email messages. A not too old off-line backup of the customer's accounting/ERP software made it possible to restore these vital services back on-line. Although major work was left to recover fully from the Ryuk damage, the most important services were restored quickly:
"For the most part, the production manufacturing operation was never shut down and we did not miss any customer deliverables."
During the following few weeks important milestones in the recovery project were made in close cooperation between Progent engineers and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Exchange Server with over four million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were completely recovered.
- A new Palo Alto 850 firewall was installed.
- Nearly all of the user workstations were back into operation.
"A lot of what transpired in the initial days is mostly a haze for me, but our team will not forget the urgency all of you put in to give us our business back. I've been working together with Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was a life saver."
A likely company-ending catastrophe was dodged due to results-oriented professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware virus incident described here could have been blocked with up-to-date security solutions and NIST Cybersecurity Framework best practices, team education, and properly executed security procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we got through the first week. Everyone did an amazing effort, and if anyone is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Salt Lake City a range of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence technology to uncover zero-day variants of ransomware that can escape detection by legacy signature-based security products.
For 24x7x365 Salt Lake City CryptoLocker Cleanup Support Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to address the complete threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that meets your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and track your backup operations and enable transparent backup and fast recovery of vital files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application bugs. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security vendors to deliver centralized management and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, optimize and troubleshoot their networking hardware like switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating appliances that need important updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can save as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior analysis technology to defend endpoint devices as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching AV products. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to address the complete malware attack progression including protection, identification, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Call Desk managed services permit your IT staff to offload Call Center services to Progent or divide activity for Help Desk services transparently between your in-house support team and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent extension of your core IT support resources. Client interaction with the Service Desk, provision of technical assistance, escalation, trouble ticket creation and updates, performance metrics, and maintenance of the support database are consistent regardless of whether issues are resolved by your core support organization, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Call Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide businesses of all sizes a versatile and affordable solution for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving information network. Besides maximizing the security and reliability of your IT network, Progent's patch management services free up time for your IT staff to concentrate on more strategic projects and activities that derive the highest business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a secured application and give your password you are asked to confirm who you are via a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized as this second form of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may register several verification devices. For more information about Duo identity validation services, go to Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth reporting tools created to integrate with the top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.