Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for businesses of all sizes unprepared for an assault. Different versions of ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict damage. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with additional unnamed newcomers, not only encrypt online files but also infiltrate all accessible system protection. Data synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can render automated recovery impossible and effectively sets the network back to zero.
Retrieving services and data after a crypto-ransomware attack becomes a sprint against the clock as the victim tries its best to contain and cleanup the virus and to restore business-critical activity. Since ransomware takes time to replicate, penetrations are frequently launched during nights and weekends, when attacks typically take longer to detect. This multiplies the difficulty of rapidly assembling and orchestrating a qualified response team.
Progent offers a variety of services for securing businesses from crypto-ransomware penetrations. These include team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and extinguish new cyber attacks automatically. Progent also can provide the services of expert ransomware recovery engineers with the skills and perseverance to re-deploy a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Help
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed keys to decipher any of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the mission-critical parts of your Information Technology environment. Absent access to essential information backups, this requires a broad complement of IT skills, professional project management, and the willingness to work non-stop until the job is completed.
For two decades, Progent has offered expert IT services for businesses in Houston and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience affords Progent the ability to quickly understand critical systems and consolidate the surviving pieces of your computer network system following a crypto-ransomware attack and configure them into a functioning system.
Progent's security group uses best of breed project management tools to coordinate the complicated recovery process. Progent understands the urgency of working swiftly and in concert with a customer's management and IT resources to prioritize tasks and to put critical systems back online as fast as humanly possible.
Business Case Study: A Successful Ransomware Penetration Recovery
A client hired Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, suspected of adopting strategies exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with little tolerance for disruption and is among the most profitable examples of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago and has about 500 workers. The Ryuk attack had shut down all business operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end engaged Progent.
"I cannot speak enough about the support Progent gave us throughout the most critical time of (our) company's existence. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent group afforded us. The fact that you were able to get our e-mail and key servers back faster than 1 week was something I thought impossible. Each staff member I worked with or messaged at Progent was urgently focused on getting us restored and was working 24 by 7 to bail us out."
Progent worked hand in hand the client to rapidly assess and prioritize the mission critical elements that had to be addressed in order to continue departmental functions:
- Windows Active Directory
- E-Mail
- Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes incident response industry best practices by halting the spread and clearing infected systems. Progent then started the work of bringing back online Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the client's MRP applications leveraged SQL Server, which depends on Active Directory services for authentication to the database.
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then initiated reinstallations and storage recovery of needed servers. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST files (Microsoft Outlook Off-Line Data Files) on user desktop computers in order to recover email information. A not too old off-line backup of the client's manufacturing software made them able to restore these essential programs back servicing users. Although major work was left to recover totally from the Ryuk event, essential services were restored quickly:
"For the most part, the assembly line operation did not miss a beat and we made all customer deliverables."
During the next month key milestones in the restoration project were made in close collaboration between Progent team members and the client:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory modules were 100% functional.
- A new Palo Alto Networks 850 firewall was deployed.
- Most of the user desktops and notebooks were back into operation.
"A huge amount of what was accomplished those first few days is mostly a blur for me, but we will not soon forget the commitment all of you accomplished to help get our company back. I've been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."
Conclusion
A likely enterprise-killing catastrophe was averted with hard-working experts, a broad spectrum of technical expertise, and close collaboration. Although in hindsight the ransomware penetration described here would have been blocked with modern security technology and NIST Cybersecurity Framework best practices, user education, and well designed incident response procedures for data backup and applying software patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus defense, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thank you for making it so I could get some sleep after we made it past the initial fire. All of you did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Houston a variety of remote monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services utilize next-generation AI capability to detect new variants of ransomware that are able to get past traditional signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily escape traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including blocking, infiltration detection, containment, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you prove compliance with government and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate action. Progent can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and enable non-disruptive backup and rapid recovery of critical files, apps, system images, and VMs. ProSight DPS lets you recover from data loss caused by equipment failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security companies to deliver web-based control and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, track, reconfigure and debug their networking appliances like routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are kept current, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network running efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT staff and your Progent engineering consultant so that all looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to a different hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based machine learning tools to defend endpoint devices and servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to manage the complete malware attack lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
Progent's Help Center managed services enable your IT group to outsource Help Desk services to Progent or split activity for Help Desk services transparently between your in-house network support team and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your internal support resources. User access to the Help Desk, provision of support, issue escalation, trouble ticket creation and updates, efficiency metrics, and management of the service database are cohesive regardless of whether issues are resolved by your corporate network support group, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Help Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide businesses of any size a flexible and cost-effective solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the security and functionality of your IT environment, Progent's patch management services allow your in-house IT team to focus on more strategic projects and activities that deliver maximum business value from your network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity verification with iOS, Google Android, and other personal devices. With 2FA, when you sign into a protected application and enter your password you are asked to confirm who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used for this added form of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can register multiple validation devices. To find out more about Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time management reporting utilities created to work with the leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24/7 Houston Crypto-Ransomware Cleanup Services, reach out to Progent at 800-462-8800 or go to Contact Progent.