Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a modern cyberplague that poses an existential danger for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with more unnamed newcomers, not only encrypt on-line data but also infiltrate all available system restores and backups. Data replicated to off-site disaster recovery sites can also be held hostage. In a vulnerable system, it can make any restoration useless and basically sets the datacenter back to square one.
Getting back online services and data following a ransomware intrusion becomes a sprint against time as the targeted business struggles to contain the damage, cleanup the crypto-ransomware, and resume enterprise-critical activity. Since ransomware needs time to replicate, penetrations are frequently sprung on weekends, when attacks tend to take more time to detect. This compounds the difficulty of rapidly marshalling and organizing a knowledgeable response team.
Progent makes available an assortment of help services for protecting businesses from crypto-ransomware events. Among these are user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with machine learning technology from SentinelOne to detect and extinguish zero-day cyber threats quickly. Progent also can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to rebuild a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware event, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will return the needed keys to unencrypt any or all of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The fallback is to setup from scratch the vital elements of your Information Technology environment. Absent access to essential data backups, this requires a broad range of IT skills, professional team management, and the willingness to work continuously until the task is finished.
For twenty years, Progent has offered certified expert IT services for businesses across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience provides Progent the skills to efficiently identify necessary systems and consolidate the remaining components of your computer network environment following a ransomware event and assemble them into an operational network.
Progent's recovery group utilizes powerful project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to get the most important services back on line as fast as possible.
Client Story: A Successful Crypto-Ransomware Attack Recovery
A client contacted Progent after their network was crashed by Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean state cybercriminals, suspected of using approaches leaked from America's NSA organization. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is one of the most profitable examples of ransomware malware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk event had frozen all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for the best, but in the end utilized Progent.
"I cannot speak enough in regards to the expertise Progent provided us during the most critical time of (our) company's existence. We would have paid the cybercriminals except for the confidence the Progent group afforded us. The fact that you were able to get our e-mail and production applications back on-line faster than one week was amazing. Each expert I got help from or messaged at Progent was urgently focused on getting us working again and was working 24 by 7 on our behalf."
Progent worked together with the customer to rapidly identify and assign priority to the essential applications that needed to be addressed to make it possible to resume departmental operations:
- Windows Active Directory
- Electronic Mail
- MRP System
To begin, Progent adhered to Anti-virus incident response industry best practices by isolating and disinfecting systems. Progent then began the steps of restoring Windows Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not operate without Active Directory, and the businesses' accounting and MRP system leveraged Microsoft SQL Server, which requires Windows AD for security authorization to the information.
Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then performed setup and hard drive recovery of needed systems. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find local OST data files (Outlook Offline Data Files) on various workstations to recover email messages. A not too old off-line backup of the businesses financials/MRP software made them able to restore these required applications back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk event, the most important systems were returned to operations rapidly:
"For the most part, the production manufacturing operation survived unscathed and we delivered all customer shipments."
Throughout the following couple of weeks important milestones in the recovery project were accomplished through tight collaboration between Progent consultants and the client:
- In-house web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over four million historical messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent recovered.
- A new Palo Alto 850 security appliance was brought online.
- Most of the user desktops were fully operational.
"A lot of what occurred in the early hours is mostly a blur for me, but I will not forget the dedication each and every one of you put in to help get our business back. I have utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered. This event was a testament to your capabilities."
Conclusion
A likely business-killing disaster was evaded by results-oriented experts, a wide range of IT skills, and tight collaboration. Although upon completion of forensics the ransomware virus penetration described here would have been prevented with modern cyber security systems and best practices, staff training, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has substantial experience in ransomware virus defense, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thanks very much for letting me get rested after we got through the most critical parts. All of you did an amazing job, and if any of your team is in the Chicago area, dinner is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Houston a range of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect new variants of crypto-ransomware that are able to evade traditional signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system running efficiently by checking the health of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so all looming issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven platform for monitoring and managing your network, server, and desktop devices by offering an environment for streamlining common time-consuming jobs. These can include health monitoring, patch management, automated remediation, endpoint deployment, backup and restore, anti-virus protection, remote access, standard and custom scripts, asset inventory, endpoint status reporting, and debugging assistance. If ProSight LAN Watch with NinjaOne RMM uncovers a serious incident, it transmits an alert to your designated IT management staff and your assigned Progent technical consultant so potential issues can be fixed before they impact your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, enhance and debug their connectivity appliances such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding devices that need critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time and in-depth management reporting tools created to work with the leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS products manage and track your data backup processes and enable non-disruptive backup and fast restoration of critical files/folders, applications, images, plus VMs. ProSight DPS helps your business avoid data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, human error, malicious insiders, or application glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to deliver centralized management and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of analysis for inbound email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. Using 2FA, when you sign into a protected online account and enter your password you are requested to verify your identity on a unit that only you possess and that uses a separate network channel. A broad selection of devices can be utilized as this added form of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You may register several verification devices. To find out more about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- Outsourced/Co-managed Call Desk: Support Desk Managed Services
Progent's Support Desk services enable your IT staff to outsource Support Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house network support team and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Service Desk offers a seamless supplement to your core IT support team. End user interaction with the Help Desk, provision of support services, issue escalation, trouble ticket generation and tracking, efficiency metrics, and management of the service database are cohesive whether incidents are resolved by your core support staff, by Progent, or both. Learn more about Progent's outsourced/shared Help Desk services.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior machine learning tools to guard endpoints as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can save up to 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer businesses of all sizes a versatile and affordable alternative for evaluating, validating, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your IT network, Progent's patch management services allow your IT team to focus on line-of-business initiatives and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a single platform to address the complete malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with legal and industry data security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
For 24x7x365 Houston Ransomware Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.