Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for organizations unprepared for an attack. Different iterations of crypto-ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with more unnamed viruses, not only encrypt on-line information but also infiltrate many configured system restores and backups. Data replicated to cloud environments can also be encrypted. In a vulnerable environment, it can make automatic restoration useless and effectively knocks the entire system back to zero.
Retrieving services and data following a ransomware outage becomes a race against time as the targeted organization tries its best to stop the spread and remove the ransomware and to resume business-critical activity. Due to the fact that ransomware requires time to move laterally, attacks are often launched on weekends and holidays, when successful penetrations in many cases take longer to detect. This multiplies the difficulty of rapidly marshalling and organizing a capable mitigation team.
Progent makes available a range of solutions for securing organizations from ransomware attacks. Among these are user training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security appliances with machine learning capabilities from SentinelOne to identify and quarantine new cyber threats automatically. Progent also provides the assistance of experienced crypto-ransomware recovery professionals with the track record and commitment to reconstruct a compromised network as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware event, paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the keys to unencrypt all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the critical parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a broad range of skill sets, top notch team management, and the capability to work 24x7 until the recovery project is completed.
For two decades, Progent has provided certified expert Information Technology services for businesses in Melbourne and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience affords Progent the capability to efficiently identify important systems and consolidate the remaining pieces of your computer network environment after a crypto-ransomware attack and configure them into a functioning system.
Progent's recovery team has top notch project management tools to orchestrate the complex restoration process. Progent knows the urgency of acting rapidly and in unison with a client's management and IT team members to prioritize tasks and to put the most important services back on line as fast as possible.
Customer Case Study: A Successful Ransomware Penetration Response
A customer contacted Progent after their company was brought down by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state cybercriminals, suspected of using techniques leaked from America's NSA organization. Ryuk seeks specific businesses with little room for disruption and is among the most lucrative examples of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has around 500 workers. The Ryuk event had brought down all business operations and manufacturing processes. The majority of the client's data backups had been online at the start of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and praying for the best, but ultimately brought in Progent.
"I can't thank you enough in regards to the care Progent gave us throughout the most fearful period of (our) company's existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent team afforded us. The fact that you could get our e-mail system and production servers back in less than five days was incredible. Each expert I interacted with or e-mailed at Progent was totally committed on getting us restored and was working 24/7 to bail us out."
Progent worked together with the client to rapidly determine and prioritize the key areas that needed to be restored to make it possible to continue company functions:
To start, Progent followed Anti-virus penetration mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the steps of rebuilding Microsoft AD, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customer's MRP software utilized Microsoft SQL Server, which depends on Active Directory services for security authorization to the information.
- Windows Active Directory
- Microsoft Exchange Email
In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with reinstallations and storage recovery of essential applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate local OST files (Outlook Email Offline Data Files) on team PCs to recover email information. A recent off-line backup of the client's manufacturing software made them able to restore these vital services back online for users. Although major work was left to recover fully from the Ryuk event, essential systems were returned to operations quickly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer shipments."
Over the next couple of weeks critical milestones in the restoration process were accomplished through close cooperation between Progent consultants and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely recovered.
- A new Palo Alto 850 security appliance was installed.
- Nearly all of the desktop computers were back into operation.
"So much of what was accomplished in the initial days is mostly a haze for me, but we will not forget the dedication all of the team accomplished to help get our company back. I've utilized Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This time was a life saver."
A potential company-ending disaster was dodged due to results-oriented professionals, a wide spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here would have been stopped with modern security technology solutions and security best practices, user and IT administrator education, and properly executed incident response procedures for information protection and applying software patches, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for letting me get rested after we made it over the first week. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Melbourne a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI capability to uncover new strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.
For Melbourne 24x7 Crypto-Ransomware Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to address the entire threat lifecycle including protection, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you prove compliance with legal and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also assist you to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with advanced backup software providers to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup operations and enable transparent backup and fast restoration of important files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, user error, malicious insiders, or application bugs. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security companies to provide centralized control and comprehensive security for all your email traffic. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity hardware like routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when problems are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that require important software patches, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system operating efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT staff and your Progent engineering consultant so any potential issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior machine learning tools to defend endpoint devices and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based AV products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a unified platform to manage the entire malware attack progression including protection, identification, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
Progent's Help Desk services allow your information technology team to offload Call Center services to Progent or split activity for Service Desk support transparently between your in-house network support group and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless supplement to your in-house IT support organization. End user access to the Service Desk, provision of support services, problem escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the service database are cohesive whether incidents are taken care of by your in-house support group, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of any size a flexible and affordable alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. Besides optimizing the security and functionality of your computer environment, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business initiatives and tasks that deliver maximum business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation on iOS, Google Android, and other personal devices. With 2FA, whenever you log into a protected application and give your password you are requested to confirm who you are on a unit that only you possess and that is accessed using a separate network channel. A broad selection of devices can be utilized as this second means of authentication including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register several validation devices. To find out more about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time and in-depth reporting utilities designed to integrate with the industry's top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.