Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause havoc. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as daily unnamed viruses, not only do encryption of on-line data but also infiltrate most accessible system protection. Data synchronized to the cloud can also be held hostage. In a poorly architected environment, it can render automatic restore operations impossible and effectively knocks the entire system back to square one.
Recovering applications and data following a ransomware attack becomes a race against the clock as the victim tries its best to contain the damage, eradicate the ransomware, and resume business-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are frequently launched during nights and weekends, when successful penetrations may take more time to detect. This compounds the difficulty of quickly marshalling and coordinating a capable mitigation team.
Progent offers a range of solutions for protecting organizations from crypto-ransomware attacks. These include team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with machine learning capabilities from SentinelOne to identify and suppress zero-day cyber threats rapidly. Progent also can provide the assistance of veteran ransomware recovery consultants with the skills and commitment to restore a compromised system as soon as possible.
Progent's Ransomware Recovery Support Services
After a ransomware invasion, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the needed codes to decipher any or all of your files. Kaspersky determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions. The alternative is to piece back together the key parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide complement of skill sets, professional team management, and the willingness to work continuously until the job is complete.
For decades, Progent has offered expert Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly determine important systems and organize the remaining parts of your IT environment following a ransomware attack and configure them into a functioning system.
Progent's recovery group uses best of breed project management tools to orchestrate the complex recovery process. Progent appreciates the urgency of acting quickly and in concert with a customer's management and IT resources to assign priority to tasks and to put key services back online as fast as possible.
Customer Story: A Successful Crypto-Ransomware Incident Recovery
A client hired Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, possibly using techniques exposed from the United States NSA organization. Ryuk seeks specific companies with little ability to sustain operational disruption and is among the most lucrative versions of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's backups had been online at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately utilized Progent.
"I can't speak enough about the support Progent provided us throughout the most stressful time of (our) businesses life. We would have paid the cybercriminals if not for the confidence the Progent experts gave us. The fact that you could get our e-mail and important servers back in less than five days was incredible. Each person I spoke to or e-mailed at Progent was amazingly focused on getting my company operational and was working non-stop on our behalf."
Progent worked with the client to quickly identify and assign priority to the most important elements that needed to be addressed to make it possible to continue company functions:
- Microsoft Active Directory
- Microsoft Exchange Server
- Accounting/MRP
To get going, Progent adhered to Anti-virus penetration mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the steps of recovering Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businesses' MRP software leveraged Microsoft SQL Server, which requires Active Directory services for access to the database.
In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of mission critical systems. All Exchange schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Offline Data Files) on user PCs and laptops in order to recover mail data. A recent offline backup of the customer's accounting systems made them able to return these vital programs back servicing users. Although a lot of work needed to be completed to recover totally from the Ryuk damage, core services were recovered rapidly:
"For the most part, the production line operation survived unscathed and we made all customer orders."
Throughout the next month critical milestones in the recovery process were accomplished through close collaboration between Progent team members and the customer:
- In-house web sites were returned to operation without losing any information.
- The MailStore Server exceeding 4 million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory modules were 100 percent operational.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user desktops and notebooks were fully operational.
"A huge amount of what was accomplished that first week is nearly entirely a haze for me, but our team will not forget the countless hours each of you put in to give us our business back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has come through and delivered. This time was a stunning achievement."
Conclusion
A likely business extinction catastrophe was avoided due to top-tier professionals, a broad range of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration described here would have been identified and disabled with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for letting me get some sleep after we got past the most critical parts. Everyone did an incredible effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Buffalo a variety of online monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services include modern AI capability to uncover zero-day strains of ransomware that can evade traditional signature-based security solutions.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT staff and your Progent consultant so that all potential issues can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-driven solution for managing your client-server infrastructure by providing an environment for performing common tedious jobs. These can include health monitoring, patch management, automated repairs, endpoint deployment, backup and recovery, anti-virus protection, secure remote access, built-in and custom scripts, resource inventory, endpoint status reporting, and debugging support. If ProSight LAN Watch with NinjaOne RMM spots a serious problem, it transmits an alarm to your designated IT management staff and your Progent technical consultant so that emerging problems can be taken care of before they impact productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, reconfigure and debug their connectivity hardware like switches, firewalls, and access points as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and manages the configuration information of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, locating devices that need critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth reporting utilities created to work with the top ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with leading backup technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your backup processes and allow non-disruptive backup and rapid recovery of important files/folders, applications, system images, plus virtual machines. ProSight DPS lets you protect against data loss resulting from hardware failures, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide web-based control and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of inspection for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, when you log into a secured online account and give your password you are asked to confirm who you are on a device that only you have and that uses a different network channel. A wide selection of out-of-band devices can be used as this second means of authentication such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can register several validation devices. To learn more about ProSight Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- Outsourced/Co-managed Service Desk: Help Desk Managed Services
Progent's Call Center managed services allow your IT team to outsource Support Desk services to Progent or split activity for Help Desk services transparently between your in-house support team and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent supplement to your corporate IT support organization. User access to the Help Desk, delivery of technical assistance, issue escalation, trouble ticket generation and tracking, efficiency metrics, and maintenance of the support database are cohesive whether incidents are resolved by your internal support staff, by Progent's team, or both. Read more about Progent's outsourced/shared Call Center services.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based analysis tools to guard endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to manage the complete malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard data about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking updates to your dynamic IT system. Besides optimizing the protection and functionality of your IT environment, Progent's patch management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Find out more about Progent's patch management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to address the entire threat progression including protection, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer economical in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with government and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
For Buffalo 24-7 Crypto Remediation Consultants, call Progent at 800-462-8800 or go to Contact Progent.