Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for organizations poorly prepared for an attack. Different iterations of crypto-ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional unnamed viruses, not only do encryption of on-line information but also infect any configured system restores and backups. Information replicated to the cloud can also be ransomed. In a poorly architected environment, this can render any recovery impossible and basically knocks the network back to square one.
Retrieving programs and information following a crypto-ransomware outage becomes a race against time as the victim fights to stop the spread and cleanup the ransomware and to restore business-critical operations. Since ransomware needs time to spread, attacks are often sprung on weekends, when successful penetrations typically take longer to recognize. This compounds the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.
Progent makes available a variety of help services for protecting organizations from ransomware attacks. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security solutions with machine learning technology from SentinelOne to detect and suppress zero-day cyber threats rapidly. Progent also can provide the services of veteran ransomware recovery consultants with the track record and commitment to rebuild a breached system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed keys to decipher all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to setup from scratch the essential parts of your IT environment. Without access to essential information backups, this calls for a broad range of skills, top notch project management, and the ability to work 24x7 until the recovery project is completed.
For two decades, Progent has offered expert Information Technology services for companies in São Paulo and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise affords Progent the ability to rapidly understand necessary systems and re-organize the surviving components of your network environment after a ransomware event and assemble them into a functioning network.
Progent's security team of experts utilizes top notch project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and in concert with a client's management and Information Technology team members to prioritize tasks and to get critical services back online as fast as possible.
Client Story: A Successful Ransomware Penetration Recovery
A business hired Progent after their network was brought down by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state sponsored criminal gangs, possibly adopting techniques exposed from America's National Security Agency. Ryuk seeks specific organizations with limited tolerance for disruption and is one of the most profitable iterations of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago with about 500 staff members. The Ryuk penetration had frozen all business operations and manufacturing capabilities. The majority of the client's backups had been online at the time of the attack and were encrypted. The client considered paying the ransom (in excess of $200,000) and hoping for the best, but ultimately brought in Progent.
"I cannot tell you enough in regards to the expertise Progent provided us during the most critical time of (our) company's life. We had little choice but to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent experts afforded us. That you could get our e-mail system and essential applications back on-line quicker than one week was incredible. Each expert I spoke to or messaged at Progent was hell bent on getting us working again and was working day and night on our behalf."
Progent worked together with the customer to quickly determine and prioritize the most important systems that had to be addressed in order to restart business functions:
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus incident mitigation best practices by halting lateral movement and clearing infected systems. Progent then began the work of rebuilding Windows Active Directory, the foundation of enterprise systems built on Microsoft technology. Exchange messaging will not operate without Windows AD, and the businesses' financials and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory services for security authorization to the databases.
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of the most important applications. All Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops to recover email data. A not too old offline backup of the client's accounting/MRP systems made it possible to restore these vital applications back available to users. Although major work needed to be completed to recover completely from the Ryuk virus, critical systems were restored rapidly:
"For the most part, the production manufacturing operation never missed a beat and we delivered all customer deliverables."
Throughout the next few weeks critical milestones in the recovery project were achieved through tight collaboration between Progent team members and the customer:
- In-house web applications were restored with no loss of information.
- The MailStore Server containing more than 4 million archived messages was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100 percent operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Most of the user PCs were back into operation.
"So much of what occurred that first week is mostly a blur for me, but my management will not forget the dedication each of your team accomplished to give us our business back. I have trusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This event was a testament to your capabilities."
Conclusion
A possible business-killing disaster was averted due to top-tier experts, a wide range of IT skills, and tight teamwork. Although upon completion of forensics the ransomware virus attack described here should have been stopped with modern security solutions and best practices, staff training, and appropriate security procedures for backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for letting me get some sleep after we got past the most critical parts. Everyone did an incredible effort, and if anyone is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in São Paulo a range of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of ransomware that are able to evade traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also assist you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and enable non-disruptive backup and rapid restoration of critical files/folders, applications, system images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to deliver web-based management and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of analysis for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex management and troubleshooting activities, WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding devices that require important updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT personnel and your Progent engineering consultant so any looming issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior machine learning tools to defend endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. Progent ASM services protect local and cloud resources and provides a single platform to automate the entire malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Help Center: Support Desk Managed Services
Progent's Call Center services permit your information technology team to outsource Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house network support resources and Progent's nationwide pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a seamless supplement to your core support resources. Client interaction with the Service Desk, delivery of support, escalation, trouble ticket generation and updates, performance metrics, and maintenance of the support database are consistent whether incidents are resolved by your core support group, by Progent, or by a combination. Read more about Progent's outsourced/shared Call Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer businesses of any size a flexible and affordable alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. In addition to maximizing the security and reliability of your IT environment, Progent's software/firmware update management services allow your IT team to focus on more strategic projects and tasks that deliver the highest business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected online account and enter your password you are asked to confirm your identity on a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this added form of authentication including a smartphone or watch, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. For details about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of in-depth reporting tools created to work with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For São Paulo 24x7x365 CryptoLocker Recovery Help, call Progent at 800-462-8800 or go to Contact Progent.