Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for businesses unprepared for an assault. Versions of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to cause destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with more unnamed viruses, not only encrypt on-line information but also infiltrate many accessible system protection. Information synched to cloud environments can also be ransomed. In a poorly architected environment, it can make automatic recovery impossible and basically knocks the datacenter back to square one.
Getting back applications and data after a ransomware intrusion becomes a race against the clock as the victim tries its best to stop lateral movement and clear the crypto-ransomware and to restore business-critical activity. Since ransomware takes time to move laterally, attacks are often launched at night, when attacks in many cases take longer to recognize. This multiplies the difficulty of quickly marshalling and organizing a qualified response team.
Progent has a range of services for securing organizations from ransomware penetrations. These include user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with AI technology from SentinelOne to identify and disable new threats automatically. Progent also provides the services of expert crypto-ransomware recovery consultants with the talent and commitment to reconstruct a compromised network as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the keys to decipher any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the critical parts of your IT environment. Without access to essential information backups, this calls for a broad complement of skill sets, well-coordinated project management, and the capability to work 24x7 until the job is complete.
For decades, Progent has provided expert IT services for companies in Houston and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience provides Progent the skills to quickly identify necessary systems and re-organize the remaining parts of your Information Technology system following a ransomware attack and assemble them into a functioning system.
Progent's security team utilizes powerful project management systems to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and together with a client's management and IT resources to assign priority to tasks and to get essential services back online as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business escalated to Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, suspected of adopting approaches exposed from America's National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is among the most profitable iterations of ransomware viruses. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has about 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200K) and praying for the best, but in the end engaged Progent.
"I can't speak enough about the care Progent gave us during the most critical time of (our) businesses existence. We would have paid the cybercriminals if it wasn't for the confidence the Progent team provided us. The fact that you were able to get our e-mail and production applications back on-line quicker than one week was earth shattering. Each expert I worked with or messaged at Progent was amazingly focused on getting us back online and was working breakneck pace on our behalf."
Progent worked with the client to quickly determine and assign priority to the most important areas that needed to be recovered in order to restart departmental operations:
To get going, Progent followed Anti-virus penetration response best practices by stopping lateral movement and performing virus removal steps. Progent then started the work of rebuilding Microsoft AD, the heart of enterprise networks built upon Microsoft technology. Exchange messaging will not operate without Active Directory, and the customer's accounting and MRP applications used Microsoft SQL Server, which needs Windows AD for access to the database.
- Microsoft Active Directory
- Electronic Mail
In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery of essential servers. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Offline Folder Files) on user workstations to recover email information. A recent off-line backup of the customer's financials/MRP systems made it possible to recover these required programs back available to users. Although a lot of work was left to recover completely from the Ryuk damage, critical systems were returned to operations quickly:
"For the most part, the production line operation never missed a beat and we made all customer sales."
During the following month important milestones in the recovery project were achieved in close cooperation between Progent engineers and the client:
- Self-hosted web sites were brought back up without losing any information.
- The MailStore Server containing more than four million archived emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control modules were completely restored.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the user PCs were back into operation.
"Much of what transpired those first few days is mostly a fog for me, but we will not forget the dedication all of the team put in to give us our company back. I have utilized Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."
A probable business-ending disaster was evaded with dedicated experts, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here would have been stopped with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, team training, and properly executed security procedures for backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get rested after we got over the most critical parts. All of you did an impressive effort, and if anyone that helped is in the Chicago area, dinner is my treat!"
To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Houston a variety of online monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include modern machine learning capability to uncover zero-day strains of crypto-ransomware that can escape detection by traditional signature-based anti-virus solutions.
For Houston 24/7/365 Ransomware Cleanup Consulting, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to address the entire threat lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools incorporated within one agent managed from a unified control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you demonstrate compliance with legal and industry data security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent attention. Progent can also assist you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and enable transparent backup and rapid recovery of important files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by hardware failures, natural calamities, fire, malware such as ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to deliver web-based control and world-class security for all your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further layer of analysis for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating appliances that require critical updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT staff and your Progent consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data about your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior machine learning tools to guard endpoints and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. Progent ASM services protect local and cloud resources and offers a single platform to address the entire threat progression including blocking, detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Call Center: Support Desk Managed Services
Progent's Help Center managed services permit your IT group to outsource Call Center services to Progent or split responsibilities for Help Desk services seamlessly between your internal network support group and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent supplement to your corporate network support staff. End user access to the Help Desk, provision of support services, problem escalation, trouble ticket generation and updates, performance metrics, and management of the service database are cohesive regardless of whether issues are resolved by your corporate IT support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a versatile and cost-effective solution for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information system. In addition to maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services permit your IT staff to focus on more strategic initiatives and activities that derive maximum business value from your information network. Learn more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a secured online account and give your password you are asked to verify your identity via a unit that only you possess and that uses a different network channel. A broad range of out-of-band devices can be used as this second means of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register several validation devices. For details about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth management reporting plug-ins created to integrate with the top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.