Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a modern cyberplague that poses an existential threat for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus daily unnamed malware, not only do encryption of online data but also infiltrate most available system backup. Files replicated to the cloud can also be encrypted. In a vulnerable environment, this can render any restore operations impossible and basically knocks the entire system back to zero.
Recovering services and data after a crypto-ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop lateral movement, clear the ransomware, and restore business-critical activity. Due to the fact that crypto-ransomware takes time to spread, penetrations are often sprung during weekends and nights, when successful attacks typically take more time to recognize. This multiplies the difficulty of rapidly assembling and organizing a capable response team.
Progent has a variety of support services for protecting businesses from ransomware events. These include team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security gateways with AI technology from SentinelOne to detect and disable new cyber attacks intelligently. Progent in addition offers the services of seasoned crypto-ransomware recovery professionals with the track record and commitment to rebuild a compromised environment as quickly as possible.
Progent's Ransomware Restoration Services
After a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decrypt any or all of your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The alternative is to setup from scratch the essential components of your Information Technology environment. Without the availability of essential system backups, this requires a broad range of skill sets, top notch team management, and the willingness to work continuously until the job is done.
For decades, Progent has made available professional IT services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience affords Progent the ability to efficiently understand critical systems and integrate the surviving parts of your IT system after a ransomware attack and rebuild them into an operational system.
Progent's ransomware group has powerful project management applications to orchestrate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and in concert with a customer's management and Information Technology team members to assign priority to tasks and to put the most important applications back on line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Incident Response
A small business sought out Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, suspected of using approaches leaked from the United States NSA organization. Ryuk targets specific organizations with little room for operational disruption and is among the most lucrative incarnations of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago with around 500 workers. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and hoping for the best, but ultimately engaged Progent.
"I cannot speak enough about the care Progent gave us during the most fearful period of (our) company's existence. We most likely would have paid the hackers behind this attack except for the confidence the Progent group gave us. That you could get our messaging and key servers back online in less than a week was something I thought impossible. Each person I spoke to or messaged at Progent was amazingly focused on getting our system up and was working day and night on our behalf."
Progent worked together with the customer to quickly assess and prioritize the essential applications that needed to be addressed to make it possible to resume departmental functions:
- Active Directory (AD)
- Electronic Messaging
- Accounting/MRP
To start, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and removing active viruses. Progent then initiated the steps of bringing back online Microsoft AD, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customer's financials and MRP software leveraged SQL Server, which depends on Active Directory services for access to the data.
Within 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery of needed systems. All Exchange data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on staff PCs in order to recover mail information. A not too old off-line backup of the customer's manufacturing software made them able to restore these vital services back on-line. Although a large amount of work remained to recover totally from the Ryuk event, core services were restored quickly:
"For the most part, the production manufacturing operation showed little impact and we did not miss any customer shipments."
During the following month key milestones in the recovery project were completed through tight cooperation between Progent team members and the client:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Server containing more than 4 million historical emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the desktops and laptops were functioning as before the incident.
"Much of what went on in the early hours is nearly entirely a haze for me, but my management will not soon forget the countless hours all of your team accomplished to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a life saver."
Conclusion
A possible business disaster was dodged through the efforts of top-tier professionals, a broad array of IT skills, and tight teamwork. Although in retrospect the crypto-ransomware penetration described here would have been prevented with advanced cyber security solutions and best practices, staff education, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of experts has proven experience in ransomware virus defense, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for letting me get some sleep after we got over the most critical parts. All of you did an fabulous effort, and if anyone is in the Chicago area, dinner is my treat!"
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Vacaville a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to detect new variants of ransomware that can escape detection by traditional signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to manage the complete threat lifecycle including protection, detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering through cutting-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your company's unique needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also assist you to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with leading backup software providers to create ProSight Data Protection Services, a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and allow non-disruptive backup and fast restoration of critical files/folders, apps, images, and virtual machines. ProSight DPS lets you recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, malicious employees, or software bugs. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security vendors to provide centralized management and comprehensive security for all your email traffic. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding appliances that require important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT personnel and your Progent consultant so that all potential problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior analysis technology to defend endpoints as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based AV products. Progent ASM services safeguard local and cloud resources and offers a unified platform to automate the complete threat progression including protection, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Service Center: Support Desk Managed Services
Progent's Support Center services allow your IT group to outsource Help Desk services to Progent or split activity for Service Desk support transparently between your in-house support team and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth supplement to your core network support team. End user interaction with the Service Desk, provision of support services, problem escalation, trouble ticket generation and tracking, efficiency metrics, and maintenance of the service database are cohesive whether issues are taken care of by your corporate IT support organization, by Progent, or both. Read more about Progent's outsourced/shared Service Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and affordable solution for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the protection and reliability of your IT network, Progent's software/firmware update management services allow your IT team to focus on more strategic projects and activities that deliver maximum business value from your information network. Learn more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a secured online account and enter your password you are requested to confirm your identity on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this second form of authentication including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. For details about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time management reporting tools created to integrate with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Vacaville 24x7x365 Crypto-Ransomware Cleanup Support Services, call Progent at 800-462-8800 or go to Contact Progent.