Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a modern cyber pandemic that represents an existential danger for businesses vulnerable to an attack. Versions of ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still cause havoc. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus frequent unnamed viruses, not only encrypt on-line files but also infiltrate most accessible system restores and backups. Information synchronized to cloud environments can also be corrupted. In a poorly designed system, it can make automatic restoration impossible and basically knocks the entire system back to square one.
Getting back online applications and information after a ransomware intrusion becomes a race against the clock as the targeted business fights to contain the damage and remove the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware takes time to spread, penetrations are often launched during weekends and nights, when penetrations may take more time to identify. This compounds the difficulty of quickly marshalling and coordinating a capable mitigation team.
Progent makes available a range of solutions for protecting organizations from ransomware attacks. Among these are team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with artificial intelligence capabilities from SentinelOne to discover and extinguish zero-day cyber threats intelligently. Progent also offers the assistance of expert ransomware recovery professionals with the skills and perseverance to reconstruct a compromised system as soon as possible.
Progent's Ransomware Restoration Help
Following a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that distant criminals will return the codes to decrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the mission-critical elements of your Information Technology environment. Absent access to essential information backups, this requires a wide complement of skills, top notch project management, and the capability to work 24x7 until the job is finished.
For twenty years, Progent has made available professional IT services for companies in Buffalo and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of expertise affords Progent the skills to knowledgably identify important systems and organize the surviving parts of your network system following a ransomware event and rebuild them into a functioning system.
Progent's recovery group utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of acting rapidly and in unison with a customer's management and IT resources to assign priority to tasks and to put essential systems back on line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Restoration
A client engaged Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored criminal gangs, possibly using techniques leaked from the United States National Security Agency. Ryuk goes after specific businesses with little ability to sustain operational disruption and is among the most profitable instances of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom (more than $200K) and hoping for good luck, but ultimately reached out to Progent.
"I can't thank you enough in regards to the help Progent provided us during the most stressful period of (our) businesses life. We had little choice but to pay the criminal gangs if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail and production servers back in less than a week was beyond my wildest dreams. Every single staff member I got help from or communicated with at Progent was laser focused on getting us restored and was working at all hours to bail us out."
Progent worked hand in hand the customer to rapidly determine and prioritize the key elements that needed to be addressed to make it possible to continue business operations:
To start, Progent followed ransomware incident mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the work of restoring Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the businesses' MRP applications used Microsoft SQL Server, which needs Active Directory for security authorization to the databases.
- Windows Active Directory
- Microsoft Exchange Email
Within 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then completed setup and storage recovery of mission critical applications. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Email Off-Line Folder Files) on user PCs in order to recover email data. A recent offline backup of the businesses accounting/MRP systems made it possible to return these required applications back on-line. Although a lot of work remained to recover totally from the Ryuk attack, critical services were recovered quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer shipments."
Throughout the following few weeks key milestones in the restoration process were accomplished through close collaboration between Progent consultants and the client:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Nearly all of the user desktops were fully operational.
"A huge amount of what occurred that first week is mostly a haze for me, but we will not forget the commitment each of you accomplished to help get our company back. I have been working together with Progent for at least 10 years, possibly more, and every time Progent has shined and delivered. This situation was a life saver."
A likely business catastrophe was dodged due to dedicated professionals, a broad range of technical expertise, and tight collaboration. Although in post mortem the crypto-ransomware incident detailed here could have been shut down with advanced cyber security technology and NIST Cybersecurity Framework best practices, staff training, and well designed incident response procedures for data protection and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get rested after we made it past the initial push. Everyone did an incredible effort, and if anyone is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Buffalo a variety of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services incorporate modern AI capability to detect zero-day strains of ransomware that are able to evade traditional signature-based security products.
For 24x7 Buffalo Crypto Repair Support Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to automate the entire threat lifecycle including filtering, identification, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS services automate and track your backup processes and enable non-disruptive backup and fast recovery of critical files, applications, system images, and VMs. ProSight DPS helps you recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application bugs. Managed services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide centralized management and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, track, optimize and debug their connectivity hardware such as switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and sends notices when problems are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding appliances that require critical updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by checking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT staff and your Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to defend endpoints and physical and virtual servers against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including filtering, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Call Center: Call Center Managed Services
Progent's Call Desk services allow your IT staff to offload Call Center services to Progent or divide activity for support services transparently between your in-house network support resources and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth supplement to your corporate IT support resources. Client interaction with the Service Desk, provision of technical assistance, problem escalation, ticket generation and updates, efficiency measurement, and management of the service database are cohesive whether incidents are resolved by your core IT support staff, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and affordable solution for assessing, testing, scheduling, applying, and documenting updates to your dynamic IT network. Besides optimizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you sign into a protected application and give your password you are requested to confirm your identity via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be used for this second form of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate several verification devices. To learn more about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of real-time and in-depth reporting tools designed to work with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.