Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to cause destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with additional as yet unnamed malware, not only do encryption of online critical data but also infect most accessible system protection. Information synchronized to cloud environments can also be encrypted. In a poorly architected system, this can render automatic recovery impossible and effectively knocks the network back to zero.
Getting back online applications and information following a crypto-ransomware attack becomes a race against the clock as the victim tries its best to stop lateral movement and remove the virus and to resume mission-critical operations. Since crypto-ransomware needs time to move laterally, assaults are frequently launched during weekends and nights, when attacks typically take more time to notice. This multiplies the difficulty of promptly assembling and orchestrating a qualified response team.
Progent offers an assortment of services for protecting businesses from ransomware penetrations. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with machine learning capabilities from SentinelOne to detect and suppress day-zero cyber attacks intelligently. Progent also provides the assistance of experienced ransomware recovery consultants with the track record and perseverance to rebuild a breached network as soon as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware attack, even paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the needed keys to decipher all your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of full information backups, this calls for a broad complement of skills, well-coordinated team management, and the willingness to work non-stop until the job is finished.
For two decades, Progent has provided expert Information Technology services for businesses in Mission Viejo and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise affords Progent the capability to efficiently ascertain critical systems and consolidate the surviving pieces of your network system following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's security team deploys top notch project management tools to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting rapidly and together with a customer's management and Information Technology staff to assign priority to tasks and to put essential applications back on-line as soon as possible.
Customer Story: A Successful Crypto-Ransomware Virus Recovery
A client contacted Progent after their company was crashed by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored hackers, possibly adopting approaches exposed from America's NSA organization. Ryuk attacks specific companies with limited room for operational disruption and is one of the most lucrative instances of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with around 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. The majority of the client's system backups had been online at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately brought in Progent.
"I can't tell you enough about the expertise Progent gave us throughout the most critical period of (our) businesses existence. We would have paid the cyber criminals if it wasn't for the confidence the Progent experts gave us. The fact that you were able to get our messaging and key applications back into operation quicker than 1 week was amazing. Each staff member I interacted with or e-mailed at Progent was hell bent on getting our company operational and was working at all hours to bail us out."
Progent worked together with the customer to quickly assess and prioritize the essential elements that needed to be addressed to make it possible to continue company operations:
To begin, Progent adhered to ransomware event mitigation best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the process of rebuilding Microsoft Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the client's MRP software leveraged Microsoft SQL Server, which needs Active Directory for authentication to the data.
- Microsoft Active Directory
- Microsoft Exchange Email
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then completed reinstallations and storage recovery on mission critical applications. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Data Files) on team PCs to recover email messages. A recent off-line backup of the client's accounting/ERP systems made them able to restore these essential programs back online. Although a large amount of work needed to be completed to recover fully from the Ryuk event, essential services were restored quickly:
"For the most part, the production line operation was never shut down and we delivered all customer shipments."
Throughout the next couple of weeks key milestones in the restoration project were achieved through close collaboration between Progent engineers and the client:
- Self-hosted web sites were restored without losing any information.
- The MailStore Server exceeding four million archived messages was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were completely recovered.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the user desktops were functioning as before the incident.
"A lot of what was accomplished in the initial days is mostly a haze for me, but we will not forget the countless hours each and every one of you accomplished to give us our company back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
A potential business-ending disaster was dodged with top-tier professionals, a wide spectrum of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware attack described here would have been stopped with modern security technology and security best practices, user and IT administrator education, and well designed security procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get some sleep after we made it through the initial push. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Mission Viejo a variety of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services include modern artificial intelligence capability to uncover new strains of ransomware that can evade traditional signature-based security products.
For Mission Viejo 24-Hour CryptoLocker Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight ASM safeguards local and cloud-based resources and provides a single platform to automate the entire threat progression including protection, detection, containment, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also assist your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your data backup operations and allow transparent backup and fast recovery of critical files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural disasters, fire, malware such as ransomware, human error, malicious employees, or application glitches. Managed backup services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide web-based management and world-class security for your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and blocks most unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the local gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, optimize and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, locating devices that need critical updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by tracking the state of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management personnel and your Progent engineering consultant so any looming problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to defend endpoints and servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-matching AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to manage the entire malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Help Desk: Support Desk Managed Services
Progent's Call Center services enable your information technology staff to outsource Support Desk services to Progent or split activity for support services seamlessly between your internal network support resources and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your in-house support team. User interaction with the Help Desk, provision of support, problem escalation, ticket generation and tracking, performance measurement, and management of the service database are consistent regardless of whether issues are resolved by your corporate IT support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Patch Management Services
Progent's support services for patch management provide businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to optimizing the protection and reliability of your IT environment, Progent's patch management services allow your IT team to focus on more strategic projects and activities that derive maximum business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a protected application and give your password you are requested to confirm who you are via a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second means of authentication such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. To find out more about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding suite of in-depth reporting plug-ins created to work with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.