Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for organizations vulnerable to an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with more as yet unnamed malware, not only encrypt online data but also infiltrate many available system restores and backups. Files replicated to the cloud can also be encrypted. In a poorly architected data protection solution, this can render automated restoration useless and basically knocks the entire system back to square one.
Retrieving services and data following a crypto-ransomware intrusion becomes a sprint against the clock as the victim struggles to contain and eradicate the ransomware and to restore mission-critical activity. Because crypto-ransomware takes time to move laterally, attacks are frequently launched on weekends and holidays, when successful attacks in many cases take longer to uncover. This multiplies the difficulty of promptly assembling and organizing a knowledgeable mitigation team.
Progent provides a variety of services for securing businesses from ransomware events. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with AI technology from SentinelOne to identify and quarantine new threats quickly. Progent also offers the services of seasoned ransomware recovery consultants with the track record and perseverance to rebuild a breached network as soon as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the codes to decipher any or all of your information. Kaspersky estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the vital components of your Information Technology environment. Without the availability of essential data backups, this requires a broad complement of skills, professional team management, and the willingness to work non-stop until the task is completed.
For two decades, Progent has provided expert Information Technology services for companies in Recife and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise gives Progent the capability to knowledgably determine critical systems and re-organize the surviving components of your Information Technology system after a ransomware event and rebuild them into an operational network.
Progent's ransomware team uses top notch project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of acting swiftly and in concert with a client's management and IT team members to prioritize tasks and to put essential applications back online as fast as possible.
Business Case Study: A Successful Ransomware Penetration Recovery
A client contacted Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored cybercriminals, suspected of using algorithms exposed from America's NSA organization. Ryuk attacks specific organizations with limited ability to sustain disruption and is among the most lucrative versions of ransomware viruses. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's data backups had been online at the beginning of the attack and were damaged. The client considered paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately brought in Progent.
"I cannot tell you enough about the expertise Progent provided us throughout the most fearful time of (our) company's existence. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent group gave us. The fact that you could get our messaging and production servers back online sooner than five days was beyond my wildest dreams. Each person I interacted with or e-mailed at Progent was laser focused on getting our company operational and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly understand and assign priority to the essential applications that had to be recovered in order to continue business operations:
To start, Progent followed AV/Malware Processes penetration response best practices by halting lateral movement and removing active viruses. Progent then initiated the work of rebuilding Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the client's MRP applications leveraged Microsoft SQL, which depends on Active Directory services for access to the data.
- Active Directory
- Microsoft Exchange Server
Within 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated rebuilding and storage recovery of the most important systems. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers to recover email messages. A not too old off-line backup of the businesses manufacturing software made them able to restore these vital services back on-line. Although a large amount of work was left to recover fully from the Ryuk virus, core systems were restored quickly:
"For the most part, the production manufacturing operation survived unscathed and we made all customer deliverables."
Over the following few weeks key milestones in the restoration project were made in tight cooperation between Progent consultants and the client:
- In-house web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100 percent restored.
- A new Palo Alto Networks 850 firewall was installed.
- Ninety percent of the user PCs were being used by staff.
"So much of what occurred during the initial response is nearly entirely a fog for me, but our team will not forget the urgency each of your team accomplished to give us our company back. I have utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a stunning achievement."
A possible business-killing disaster was avoided by dedicated professionals, a broad array of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware penetration detailed here would have been identified and prevented with modern cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed security procedures for data backup and proper patching controls, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for letting me get some sleep after we made it through the initial push. Everyone did an impressive effort, and if any of your team is in the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Recife a variety of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services include next-generation machine learning technology to detect new variants of ransomware that can get past traditional signature-based anti-virus solutions.
For Recife 24x7x365 Ransomware Recovery Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to manage the entire threat progression including filtering, identification, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with legal and industry information protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and enable transparent backup and fast recovery of important files, apps, images, and virtual machines. ProSight DPS helps your business avoid data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, user error, ill-intentioned employees, or software glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based management and comprehensive security for all your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your security perimeter. This decreases your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further level of analysis for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and debug their networking appliances such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are always updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating time-consuming management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that need critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your assigned Progent consultant so any looming problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to guard endpoints and servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. Progent ASM services safeguard local and cloud-based resources and provides a single platform to automate the entire malware attack progression including protection, identification, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Help Desk: Support Desk Managed Services
Progent's Help Desk managed services enable your information technology team to outsource Support Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support staff and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth supplement to your internal IT support group. Client interaction with the Service Desk, provision of technical assistance, escalation, trouble ticket generation and tracking, efficiency measurement, and management of the service database are cohesive whether incidents are taken care of by your core network support group, by Progent, or by a combination. Find out more about Progent's outsourced/shared Call Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and affordable alternative for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving information network. In addition to maximizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to focus on more strategic initiatives and tasks that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with Apple iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a protected application and enter your password you are asked to verify your identity via a unit that only you possess and that is accessed using a separate network channel. A broad range of out-of-band devices can be utilized for this second form of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. To find out more about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time management reporting tools created to integrate with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.