Ransomware : Your Crippling IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to inflict havoc. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with daily unnamed newcomers, not only do encryption of on-line critical data but also infiltrate many configured system restores and backups. Data synched to cloud environments can also be ransomed. In a poorly designed system, this can render automatic restoration useless and basically knocks the network back to zero.
Getting back online applications and information following a crypto-ransomware attack becomes a sprint against the clock as the victim tries its best to stop the spread and clear the virus and to restore mission-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are frequently sprung on weekends and holidays, when successful attacks in many cases take more time to detect. This multiplies the difficulty of rapidly assembling and coordinating an experienced response team.
Progent offers a range of help services for securing organizations from ransomware attacks. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with AI technology from SentinelOne to detect and extinguish day-zero threats quickly. Progent also provides the services of seasoned ransomware recovery engineers with the talent and perseverance to reconstruct a compromised system as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the keys to decrypt any of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the essential parts of your IT environment. Absent access to essential system backups, this requires a broad complement of skills, professional project management, and the capability to work continuously until the recovery project is complete.
For two decades, Progent has provided professional Information Technology services for businesses in Vacaville and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience affords Progent the skills to rapidly determine important systems and re-organize the remaining components of your network system after a ransomware event and configure them into a functioning network.
Progent's security group has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of working swiftly and in unison with a customer's management and Information Technology resources to prioritize tasks and to get essential systems back on-line as soon as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A business sought out Progent after their network system was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, suspected of adopting technology exposed from the United States NSA organization. Ryuk goes after specific organizations with little tolerance for disruption and is one of the most profitable examples of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has about 500 employees. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.
"I can't tell you enough in regards to the care Progent provided us throughout the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and critical applications back into operation in less than seven days was amazing. Every single consultant I got help from or messaged at Progent was laser focused on getting us restored and was working non-stop on our behalf."
Progent worked with the customer to quickly identify and prioritize the most important systems that had to be restored to make it possible to continue departmental operations:
To get going, Progent adhered to AV/Malware Processes event response best practices by stopping lateral movement and clearing infected systems. Progent then began the work of recovering Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Exchange email will not function without AD, and the customer's accounting and MRP software utilized SQL Server, which needs Active Directory services for authentication to the databases.
- Active Directory (AD)
- Microsoft Exchange
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then performed setup and storage recovery of essential applications. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on team desktop computers and laptops to recover email messages. A not too old offline backup of the customer's financials/MRP software made it possible to return these vital services back on-line. Although significant work needed to be completed to recover fully from the Ryuk attack, critical services were returned to operations quickly:
"For the most part, the assembly line operation survived unscathed and we did not miss any customer orders."
Throughout the following couple of weeks critical milestones in the restoration project were achieved through tight collaboration between Progent team members and the client:
- In-house web sites were restored without losing any data.
- The MailStore Exchange Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% recovered.
- A new Palo Alto Networks 850 security appliance was deployed.
- Nearly all of the user workstations were functioning as before the incident.
"So much of what went on those first few days is mostly a haze for me, but we will not soon forget the urgency each and every one of your team accomplished to give us our company back. I've trusted Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was a life saver."
A likely business disaster was averted with top-tier experts, a wide spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration detailed here could have been identified and prevented with advanced cyber security systems and ISO/IEC 27001 best practices, staff education, and appropriate incident response procedures for information backup and proper patching controls, the reality is that government-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get rested after we made it through the initial fire. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is my treat!"
To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Vacaville a portfolio of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services include next-generation artificial intelligence capability to uncover new variants of ransomware that can escape detection by traditional signature-based security solutions.
For 24x7x365 Vacaville Crypto Removal Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to manage the complete threat progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools packaged within a single agent managed from a single control. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you demonstrate compliance with legal and industry information protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and allow transparent backup and rapid restoration of critical files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to deliver web-based control and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, track, reconfigure and debug their connectivity hardware like routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious network management processes, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, locating devices that need critical updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management personnel and your Progent consultant so any potential problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and managing your network documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to guard endpoints and servers and VMs against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based AV products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to automate the entire malware attack lifecycle including protection, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Support Center services enable your information technology group to offload Call Center services to Progent or split responsibilities for Help Desk services transparently between your internal support group and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless extension of your in-house support group. End user interaction with the Service Desk, delivery of support services, problem escalation, trouble ticket creation and updates, performance measurement, and maintenance of the service database are consistent regardless of whether issues are taken care of by your core IT support organization, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Service Center services.
- Patch Management: Patch Management Services
Progent's support services for patch management offer businesses of all sizes a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving IT network. In addition to optimizing the protection and reliability of your computer environment, Progent's software/firmware update management services allow your in-house IT staff to focus on line-of-business projects and activities that derive the highest business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables one-tap identity confirmation with iOS, Google Android, and other personal devices. Using 2FA, when you log into a protected application and give your password you are asked to verify who you are on a unit that only you have and that uses a separate network channel. A broad range of devices can be utilized for this second form of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You may designate several validation devices. For details about Duo two-factor identity validation services, go to Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of in-depth management reporting plug-ins designed to integrate with the top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.