Ransomware : Your Feared IT Disaster
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses unprepared for an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and continue to inflict damage. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with daily unnamed malware, not only do encryption of online data but also infiltrate most available system backup. Data synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can make automated recovery useless and basically knocks the datacenter back to zero.
Getting back online services and information following a ransomware attack becomes a sprint against the clock as the targeted organization fights to stop the spread and remove the ransomware and to resume enterprise-critical operations. Since crypto-ransomware requires time to spread, penetrations are often launched at night, when successful attacks in many cases take longer to discover. This multiplies the difficulty of promptly marshalling and coordinating a capable response team.
Progent has an assortment of support services for securing enterprises from ransomware attacks. These include team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security solutions with AI capabilities from SentinelOne to identify and quarantine day-zero cyber threats automatically. Progent in addition offers the assistance of experienced crypto-ransomware recovery engineers with the skills and commitment to rebuild a breached system as rapidly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the keys to decrypt all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the critical components of your IT environment. Without access to essential system backups, this calls for a wide complement of skills, professional project management, and the capability to work 24x7 until the job is done.
For twenty years, Progent has made available expert IT services for companies in São Paulo and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to efficiently determine critical systems and integrate the surviving parts of your network system following a ransomware event and configure them into a functioning network.
Progent's recovery team utilizes best of breed project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in unison with a client's management and IT resources to assign priority to tasks and to put key systems back online as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer hired Progent after their network was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, possibly using techniques leaked from the United States National Security Agency. Ryuk seeks specific companies with little ability to sustain disruption and is among the most lucrative instances of ransomware malware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with about 500 workers. The Ryuk event had frozen all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but ultimately made the decision to use Progent.
"I cannot thank you enough in regards to the care Progent gave us throughout the most stressful time of (our) company's survival. We would have paid the criminal gangs except for the confidence the Progent team gave us. That you were able to get our messaging and key applications back sooner than five days was incredible. Each person I spoke to or texted at Progent was hell bent on getting our system up and was working at all hours on our behalf."
Progent worked with the customer to quickly identify and assign priority to the mission critical areas that needed to be recovered in order to resume departmental operations:
- Active Directory
- E-Mail
- Financials/MRP
To get going, Progent followed ransomware penetration response industry best practices by halting lateral movement and clearing up compromised systems. Progent then began the task of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Active Directory, and the client's MRP software used SQL Server, which depends on Windows AD for authentication to the database.
In less than two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery on needed systems. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Offline Data Files) on team desktop computers in order to recover mail information. A not too old off-line backup of the customer's manufacturing systems made them able to return these required applications back on-line. Although significant work needed to be completed to recover totally from the Ryuk event, critical services were restored rapidly:
"For the most part, the manufacturing operation showed little impact and we produced all customer deliverables."
During the following month critical milestones in the recovery project were made in close collaboration between Progent engineers and the client:
- In-house web applications were brought back up without losing any information.
- The MailStore Exchange Server with over 4 million historical messages was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100% operational.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the user workstations were fully operational.
"A lot of what went on those first few days is nearly entirely a haze for me, but we will not forget the urgency each and every one of your team put in to give us our company back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."
Conclusion
A probable business disaster was dodged with dedicated professionals, a broad array of technical expertise, and tight teamwork. Although in retrospect the ransomware penetration detailed here would have been prevented with modern cyber security technology solutions and ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for data protection and applying software patches, the fact is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for allowing me to get some sleep after we made it past the first week. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in São Paulo a range of online monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services include modern machine learning capability to uncover new strains of ransomware that are able to get past legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to manage the complete threat progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with leading backup technology companies to create ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and fast recovery of vital files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or software bugs. Managed services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security vendors to deliver web-based management and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to map, track, enhance and troubleshoot their networking hardware such as switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating complex network management processes, WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that require critical updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management personnel and your assigned Progent engineering consultant so all potential problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can save up to half of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis technology to guard endpoint devices and servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including protection, identification, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Center: Call Center Managed Services
Progent's Call Desk managed services permit your information technology group to outsource Call Center services to Progent or split responsibilities for support services transparently between your internal support group and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth extension of your in-house network support staff. End user interaction with the Service Desk, delivery of support, issue escalation, trouble ticket creation and updates, performance measurement, and management of the support database are cohesive whether issues are taken care of by your in-house IT support resources, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking updates to your ever-evolving IT system. In addition to maximizing the security and reliability of your computer network, Progent's software/firmware update management services allow your IT team to focus on more strategic projects and tasks that derive maximum business value from your network. Read more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo supports single-tap identity verification with iOS, Google Android, and other personal devices. Using 2FA, when you log into a protected application and enter your password you are asked to confirm your identity via a device that only you possess and that is accessed using a separate network channel. A wide selection of out-of-band devices can be utilized for this added means of ID validation such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several verification devices. For details about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time and in-depth reporting tools created to integrate with the leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For São Paulo 24/7 Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.