Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that presents an existential threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still inflict harm. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus frequent unnamed newcomers, not only do encryption of online critical data but also infiltrate any accessible system restores and backups. Information synchronized to the cloud can also be held hostage. In a poorly designed data protection solution, this can render automated recovery impossible and effectively sets the entire system back to zero.
Getting back applications and information following a ransomware outage becomes a sprint against the clock as the targeted business fights to contain, cleanup the crypto-ransomware, and restore mission-critical operations. Due to the fact that crypto-ransomware takes time to spread, penetrations are usually sprung at night, when successful attacks may take more time to identify. This compounds the difficulty of quickly marshalling and orchestrating a qualified mitigation team.
Progent offers an assortment of help services for securing businesses from ransomware attacks. These include team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI technology from SentinelOne to discover and disable day-zero cyber threats rapidly. Progent also provides the assistance of veteran crypto-ransomware recovery consultants with the talent and commitment to rebuild a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware invasion, sending the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to decipher any of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The alternative is to piece back together the key elements of your Information Technology environment. Absent access to full information backups, this requires a broad range of IT skills, professional project management, and the willingness to work continuously until the recovery project is finished.
For twenty years, Progent has made available expert Information Technology services for companies across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience provides Progent the ability to knowledgably understand necessary systems and consolidate the surviving pieces of your IT system following a crypto-ransomware penetration and configure them into a functioning system.
Progent's security group has state-of-the-art project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of acting swiftly and in concert with a customer's management and Information Technology team members to assign priority to tasks and to put the most important services back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Virus Restoration
A client sought out Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state sponsored hackers, possibly using techniques leaked from the U.S. National Security Agency. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative iterations of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately called Progent.
"I can't thank you enough in regards to the care Progent gave us during the most stressful time of (our) company's survival. We would have paid the criminal gangs if not for the confidence the Progent experts gave us. The fact that you could get our e-mail system and critical applications back online quicker than 1 week was beyond my wildest dreams. Each staff member I spoke to or texted at Progent was totally committed on getting my company operational and was working all day and night on our behalf."
Progent worked together with the client to quickly assess and assign priority to the essential services that had to be addressed in order to restart departmental functions:
- Active Directory (AD)
- Microsoft Exchange Server
- MRP System
To begin, Progent followed Anti-virus penetration response best practices by isolating and cleaning systems of viruses. Progent then initiated the steps of bringing back online Windows Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not work without AD, and the businesses' financials and MRP software leveraged SQL Server, which needs Windows AD for authentication to the information.
In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then initiated reinstallations and storage recovery of the most important servers. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Folder Files) on various workstations and laptops in order to recover mail information. A recent offline backup of the client's manufacturing systems made them able to return these essential applications back servicing users. Although a large amount of work remained to recover fully from the Ryuk virus, the most important systems were returned to operations quickly:
"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."
Over the next couple of weeks critical milestones in the restoration project were completed through tight cooperation between Progent team members and the client:
- In-house web applications were returned to operation without losing any information.
- The MailStore Exchange Server exceeding four million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory modules were completely operational.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"Much of what was accomplished in the initial days is mostly a blur for me, but our team will not soon forget the commitment each and every one of the team accomplished to help get our company back. I've trusted Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This event was a stunning achievement."
Conclusion
A potential business catastrophe was evaded with hard-working experts, a broad array of knowledge, and close collaboration. Although in hindsight the ransomware attack detailed here could have been identified and blocked with current security technology solutions and ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for information protection and proper patching controls, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for letting me get some sleep after we got over the initial fire. Everyone did an amazing effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Fort Wayne a portfolio of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning capability to uncover new strains of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to manage the complete threat progression including blocking, detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools packaged within one agent managed from a unified console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent's consultants can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup software providers to produce ProSight Data Protection Services, a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and allow non-disruptive backup and fast recovery of important files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to deliver centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map out, track, reconfigure and debug their connectivity appliances such as routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, finding appliances that require important updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the state of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT management staff and your Progent consultant so any potential issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be moved immediately to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to defend endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. Progent ASM services protect on-premises and cloud resources and provides a unified platform to automate the entire threat progression including blocking, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Help Desk: Call Center Managed Services
Progent's Call Center services enable your IT group to outsource Support Desk services to Progent or split responsibilities for support services seamlessly between your internal network support group and Progent's nationwide pool of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth extension of your corporate IT support group. End user interaction with the Service Desk, provision of technical assistance, problem escalation, ticket creation and updates, efficiency metrics, and management of the support database are cohesive regardless of whether incidents are taken care of by your corporate support staff, by Progent, or both. Read more about Progent's outsourced/shared Help Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer businesses of any size a flexible and affordable alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT network. Besides maximizing the security and functionality of your computer environment, Progent's patch management services allow your in-house IT staff to focus on more strategic initiatives and activities that derive the highest business value from your network. Read more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected online account and give your password you are requested to verify who you are on a device that only you possess and that is accessed using a different network channel. A wide selection of out-of-band devices can be utilized for this second form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate several validation devices. For more information about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of in-depth management reporting utilities designed to integrate with the leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Fort Wayne Ransomware Removal Consulting, contact Progent at 800-462-8800 or go to Contact Progent.