Ransomware : Your Worst IT Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses poorly prepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict damage. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional as yet unnamed newcomers, not only encrypt on-line data files but also infect most configured system protection mechanisms. Information synchronized to the cloud can also be rendered useless. In a poorly designed environment, it can render any restoration hopeless and effectively knocks the datacenter back to zero.
Restoring applications and information after a ransomware intrusion becomes a sprint against the clock as the targeted business fights to contain the damage and cleanup the crypto-ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to spread, penetrations are often sprung on weekends, when penetrations in many cases take more time to discover. This compounds the difficulty of quickly mobilizing and organizing an experienced mitigation team.
Progent offers a range of services for protecting businesses from ransomware events. Among these are team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security appliances with machine learning technology from SentinelOne to discover and disable zero-day threats automatically. Progent in addition can provide the assistance of expert crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a compromised system as urgently as possible.
Progent's Ransomware Restoration Help
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not guarantee that distant criminals will return the needed keys to decrypt any of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the vital parts of your IT environment. Without the availability of complete data backups, this calls for a broad range of skill sets, professional team management, and the willingness to work 24x7 until the task is completed.
For decades, Progent has made available certified expert IT services for companies in Houston and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience affords Progent the capability to rapidly determine important systems and organize the remaining parts of your Information Technology environment following a ransomware penetration and configure them into a functioning system.
Progent's recovery team uses best of breed project management applications to orchestrate the complicated recovery process. Progent knows the importance of working swiftly and together with a client's management and IT resources to prioritize tasks and to get key services back on-line as soon as possible.
Case Study: A Successful Ransomware Virus Response
A business contacted Progent after their network system was attacked by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state criminal gangs, suspected of adopting techniques leaked from the United States National Security Agency. Ryuk seeks specific businesses with little room for disruption and is among the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but in the end brought in Progent.
"I can't thank you enough in regards to the care Progent gave us throughout the most stressful period of (our) businesses survival. We would have paid the cyber criminals if not for the confidence the Progent experts afforded us. That you were able to get our e-mail and key servers back into operation in less than one week was amazing. Each consultant I worked with or e-mailed at Progent was hell bent on getting my company operational and was working non-stop to bail us out."
Progent worked together with the customer to rapidly understand and prioritize the critical systems that had to be recovered to make it possible to restart business functions:
- Active Directory (AD)
- Electronic Mail
- MRP System
To begin, Progent adhered to ransomware incident mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the steps of restoring Microsoft AD, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not function without Active Directory, and the customer's MRP system used Microsoft SQL, which depends on Active Directory services for security authorization to the databases.
Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on the most important servers. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Data Files) on user desktop computers and laptops in order to recover email data. A not too old off-line backup of the client's financials/MRP systems made it possible to recover these essential services back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk damage, critical services were recovered rapidly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer sales."
During the following few weeks key milestones in the recovery project were completed through close cooperation between Progent consultants and the client:
- Internal web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over four million historical messages was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were fully recovered.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the desktop computers were back into operation.
"So much of what was accomplished in the early hours is nearly entirely a fog for me, but our team will not soon forget the countless hours each of the team put in to give us our business back. I have been working with Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This time was no exception but maybe more Herculean."
Conclusion
A possible company-ending catastrophe was evaded through the efforts of top-tier experts, a broad range of IT skills, and close collaboration. Although in post mortem the ransomware attack described here should have been disabled with advanced security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for information backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has proven experience in crypto-ransomware virus defense, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), I'm grateful for allowing me to get some sleep after we made it over the first week. All of you did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is on me!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Houston a portfolio of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation machine learning capability to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a single platform to address the entire threat lifecycle including protection, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent's consultants can also assist your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup software companies to create ProSight Data Protection Services (DPS), a family of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your backup processes and enable transparent backup and rapid recovery of important files/folders, apps, system images, and virtual machines. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, human mistakes, malicious employees, or software bugs. Managed services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to provide web-based management and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with an on-premises security gateway device to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of almost all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating devices that need important software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT staff and your Progent consultant so all potential problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior machine learning technology to defend endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to address the complete threat lifecycle including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Call Center: Support Desk Managed Services
Progent's Call Center services allow your IT team to outsource Call Center services to Progent or split responsibilities for Service Desk support transparently between your internal network support group and Progent's extensive pool of IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth supplement to your core support staff. Client interaction with the Service Desk, delivery of technical assistance, problem escalation, trouble ticket creation and updates, performance metrics, and maintenance of the service database are consistent regardless of whether incidents are resolved by your core network support group, by Progent's team, or by a combination. Find out more about Progent's outsourced/co-managed Help Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information system. Besides maximizing the protection and reliability of your computer network, Progent's software/firmware update management services free up time for your IT staff to focus on more strategic initiatives and activities that derive the highest business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Google Android, and other personal devices. With Duo 2FA, when you sign into a protected online account and enter your password you are requested to confirm your identity on a unit that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized for this added means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can register several validation devices. To learn more about Duo identity validation services, visit Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time management reporting plug-ins designed to integrate with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Houston 24/7 Crypto Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.