Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus frequent as yet unnamed newcomers, not only encrypt on-line data files but also infect any available system protection. Data synched to cloud environments can also be rendered useless. In a poorly architected system, it can render automatic restoration hopeless and effectively knocks the entire system back to square one.
Getting back online applications and data after a ransomware event becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and remove the virus and to restore enterprise-critical operations. Because crypto-ransomware takes time to replicate, penetrations are often launched during weekends and nights, when successful attacks tend to take more time to notice. This multiplies the difficulty of promptly marshalling and coordinating a capable mitigation team.
Progent has an assortment of solutions for protecting enterprises from ransomware events. Among these are team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with machine learning technology from SentinelOne to discover and extinguish day-zero threats quickly. Progent in addition can provide the services of seasoned crypto-ransomware recovery engineers with the track record and perseverance to rebuild a compromised system as urgently as possible.
Progent's Ransomware Recovery Help
Soon after a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt any of your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be around $13,000. The alternative is to re-install the essential parts of your IT environment. Without access to complete data backups, this calls for a broad complement of skill sets, top notch team management, and the capability to work continuously until the recovery project is complete.
For twenty years, Progent has made available professional Information Technology services for companies in Fort Wayne and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the skills to rapidly determine important systems and organize the remaining pieces of your computer network environment after a ransomware event and rebuild them into a functioning network.
Progent's ransomware team uses best of breed project management tools to coordinate the sophisticated restoration process. Progent knows the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get essential systems back on-line as fast as humanly possible.
Client Story: A Successful Ransomware Incident Response
A small business hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored hackers, possibly adopting approaches exposed from the U.S. NSA organization. Ryuk goes after specific companies with limited tolerance for operational disruption and is one of the most lucrative versions of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's data protection had been online at the time of the attack and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end brought in Progent.
"I can't thank you enough in regards to the support Progent provided us during the most fearful time of (our) company's life. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent group gave us. The fact that you could get our messaging and essential servers back into operation in less than five days was incredible. Each consultant I interacted with or communicated with at Progent was totally committed on getting our company operational and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the essential applications that had to be restored to make it possible to continue company functions:
- Windows Active Directory
- E-Mail
- Financials/MRP
To get going, Progent followed ransomware event response industry best practices by halting the spread and clearing infected systems. Progent then initiated the process of rebuilding Microsoft AD, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the businesses' MRP applications leveraged Microsoft SQL, which needs Active Directory services for security authorization to the data.
Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with reinstallations and storage recovery of needed servers. All Microsoft Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Offline Data Files) on staff workstations to recover mail data. A not too old off-line backup of the businesses financials/ERP systems made it possible to recover these vital applications back servicing users. Although major work needed to be completed to recover totally from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we made all customer sales."
Over the following month key milestones in the recovery process were completed through close cooperation between Progent engineers and the customer:
- In-house web sites were brought back up with no loss of data.
- The MailStore Server exceeding 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were 100% operational.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the desktops and laptops were fully operational.
"A huge amount of what happened that first week is mostly a haze for me, but I will not forget the dedication all of the team put in to help get our company back. I have utilized Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This time was a Herculean accomplishment."
Conclusion
A likely business extinction disaster was averted with results-oriented experts, a broad spectrum of subject matter expertise, and close collaboration. Although in hindsight the ransomware penetration detailed here would have been disabled with current cyber security technology solutions and security best practices, team training, and appropriate incident response procedures for data protection and applying software patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, mitigation, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I'm grateful for letting me get rested after we got past the initial fire. Everyone did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Fort Wayne a variety of remote monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services include modern machine learning technology to uncover new variants of ransomware that can get past legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire threat lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's unique requirements and that helps you prove compliance with government and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also assist your company to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore software companies to produce ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and fast recovery of critical files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user error, ill-intentioned employees, or application glitches. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to deliver centralized management and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, monitor, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your network operating at peak levels by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so that all potential issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate up to 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based analysis tools to defend endpoint devices and servers and VMs against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. Progent ASM services protect on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Service Desk: Support Desk Managed Services
Progent's Help Center managed services enable your IT team to outsource Call Center services to Progent or split activity for support services seamlessly between your in-house network support staff and Progent's nationwide pool of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent extension of your corporate support organization. Client access to the Service Desk, provision of support, issue escalation, trouble ticket creation and tracking, performance metrics, and management of the support database are cohesive whether incidents are taken care of by your in-house IT support resources, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services permit your in-house IT team to focus on more strategic initiatives and activities that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other personal devices. With Duo 2FA, when you sign into a protected online account and give your password you are asked to verify your identity on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be used for this second means of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can register several validation devices. For more information about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time reporting plug-ins designed to work with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Fort Wayne 24-7 Ransomware Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.