Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a modern cyberplague that presents an existential threat for businesses poorly prepared for an attack. Different versions of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and continue to inflict havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with additional as yet unnamed newcomers, not only encrypt online critical data but also infect most available system backup. Data synchronized to the cloud can also be ransomed. In a vulnerable system, this can make automated restore operations useless and basically knocks the entire system back to square one.
Recovering applications and data after a ransomware outage becomes a race against time as the targeted organization tries its best to stop the spread, clear the virus, and resume mission-critical activity. Because crypto-ransomware needs time to move laterally, assaults are usually sprung during nights and weekends, when successful penetrations in many cases take more time to notice. This multiplies the difficulty of rapidly marshalling and coordinating a qualified response team.
Progent provides a range of support services for securing businesses from crypto-ransomware events. These include staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with artificial intelligence technology from SentinelOne to identify and extinguish new cyber threats intelligently. Progent also provides the assistance of expert ransomware recovery engineers with the skills and commitment to reconstruct a breached system as urgently as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the keys to decipher any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom can be in the millions. The fallback is to re-install the critical parts of your Information Technology environment. Absent access to complete system backups, this requires a wide complement of skills, top notch team management, and the ability to work non-stop until the task is done.
For twenty years, Progent has offered expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the ability to efficiently understand critical systems and consolidate the surviving parts of your network system following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's ransomware team of experts utilizes top notch project management applications to coordinate the complex restoration process. Progent knows the urgency of working quickly and together with a client's management and IT staff to prioritize tasks and to get essential applications back on-line as fast as possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A client engaged Progent after their company was crashed by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean government sponsored hackers, suspected of using techniques leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little or no tolerance for disruption and is one of the most lucrative incarnations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the attack and were damaged. The client considered paying the ransom (exceeding $200K) and praying for the best, but in the end utilized Progent.
"I cannot tell you enough about the help Progent provided us throughout the most fearful time of (our) company's life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and important servers back in less than a week was something I thought impossible. Every single person I got help from or e-mailed at Progent was urgently focused on getting us operational and was working all day and night on our behalf."
Progent worked together with the client to quickly identify and prioritize the key applications that needed to be addressed to make it possible to restart departmental functions:
- Windows Active Directory
- Email
- Accounting/MRP
To start, Progent adhered to Anti-virus penetration response best practices by halting the spread and performing virus removal steps. Progent then began the work of bringing back online Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not function without Windows AD, and the customer's accounting and MRP system utilized SQL Server, which requires Windows AD for authentication to the information.
Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then completed reinstallations and storage recovery of essential servers. All Exchange ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on user workstations and laptops in order to recover email data. A not too old off-line backup of the customer's accounting/ERP software made it possible to recover these essential applications back on-line. Although a lot of work needed to be completed to recover fully from the Ryuk attack, core services were returned to operations quickly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer orders."
Over the following couple of weeks important milestones in the restoration process were accomplished through tight cooperation between Progent engineers and the client:
- Internal web applications were returned to operation without losing any data.
- The MailStore Server containing more than 4 million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully restored.
- A new Palo Alto 850 security appliance was deployed.
- Most of the desktop computers were being used by staff.
"So much of what went on that first week is mostly a haze for me, but we will not soon forget the countless hours each and every one of you put in to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a life saver."
Conclusion
A possible company-ending catastrophe was evaded due to top-tier experts, a broad spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident described here would have been identified and prevented with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get some sleep after we made it past the most critical parts. All of you did an amazing job, and if any of your team is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Fort Wayne a range of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services utilize next-generation machine learning capability to uncover new variants of ransomware that can escape detection by legacy signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to keep your IT system operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-driven platform for managing your client-server infrastructure by providing an environment for performing common time-consuming jobs. These can include health monitoring, patch management, automated remediation, endpoint deployment, backup and recovery, anti-virus response, remote access, built-in and custom scripts, asset inventory, endpoint profile reports, and troubleshooting support. When ProSight LAN Watch with NinjaOne RMM identifies a serious problem, it sends an alert to your designated IT personnel and your assigned Progent consultant so potential issues can be taken care of before they interfere with productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, monitor, optimize and troubleshoot their networking appliances such as switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating appliances that require critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of in-depth reporting plug-ins designed to integrate with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup operations and allow non-disruptive backup and rapid restoration of vital files, applications, system images, and VMs. ProSight DPS lets you protect against data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, user error, malicious employees, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to deliver web-based control and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device provides a further layer of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against password theft by using two-factor authentication (2FA). Duo supports single-tap identity verification with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a protected online account and enter your password you are asked to verify who you are on a unit that only you have and that is accessed using a separate network channel. A broad selection of devices can be utilized for this second form of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. To find out more about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services for access security.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Support Center managed services permit your IT group to offload Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house network support resources and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your core IT support team. End user interaction with the Help Desk, delivery of technical assistance, issue escalation, trouble ticket generation and tracking, performance metrics, and management of the service database are consistent regardless of whether issues are taken care of by your corporate IT support group, by Progent, or by a combination. Read more about Progent's outsourced/shared Service Center services.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior-based analysis technology to defend endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide organizations of all sizes a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and tracking updates to your dynamic IT system. Besides maximizing the protection and reliability of your computer network, Progent's patch management services free up time for your IT staff to concentrate on more strategic initiatives and tasks that derive the highest business value from your network. Learn more about Progent's software/firmware update management support services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the entire threat lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools incorporated within one agent managed from a single console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you prove compliance with legal and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.
For 24x7 Fort Wayne Crypto Recovery Help, call Progent at 800-462-8800 or go to Contact Progent.