Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus additional as yet unnamed viruses, not only do encryption of online files but also infiltrate most available system restores and backups. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render automatic restore operations impossible and effectively sets the network back to square one.
Restoring applications and information following a crypto-ransomware event becomes a sprint against the clock as the victim tries its best to contain the damage and cleanup the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to spread, penetrations are often sprung on weekends, when successful attacks are likely to take more time to discover. This compounds the difficulty of rapidly marshalling and organizing a capable response team.
Progent provides a range of solutions for securing businesses from ransomware penetrations. These include team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence capabilities from SentinelOne to discover and suppress day-zero threats quickly. Progent also provides the services of expert ransomware recovery professionals with the skills and perseverance to reconstruct a breached network as quickly as possible.
Progent's Ransomware Recovery Help
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the keys to unencrypt any or all of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the key components of your IT environment. Absent access to complete system backups, this requires a broad range of skill sets, professional project management, and the capability to work continuously until the job is finished.
For twenty years, Progent has offered expert IT services for businesses in Recife and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience provides Progent the ability to rapidly identify important systems and integrate the remaining pieces of your Information Technology environment following a ransomware event and assemble them into a functioning network.
Progent's security team of experts uses best of breed project management applications to orchestrate the complex recovery process. Progent appreciates the importance of working rapidly and in concert with a customerï¿½s management and IT resources to prioritize tasks and to get critical systems back on line as soon as humanly possible.
Client Story: A Successful Ransomware Attack Recovery
A business engaged Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, suspected of using technology leaked from Americaï¿½s National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is among the most profitable incarnations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and wishfully thinking for the best, but in the end engaged Progent.
"I canï¿½t speak enough about the support Progent gave us during the most fearful period of (our) businesses existence. We may have had to pay the Hackers except for the confidence the Progent experts afforded us. That you were able to get our messaging and critical applications back online faster than 1 week was something I thought impossible. Each expert I spoke to or messaged at Progent was laser focused on getting us working again and was working day and night on our behalf."
Progent worked with the customer to rapidly understand and assign priority to the most important applications that needed to be restored in order to continue departmental operations:
To get going, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then began the task of recovering Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the customerï¿½s financials and MRP applications utilized SQL Server, which needs Active Directory for access to the database.
- Active Directory
- Electronic Messaging
- MRP System
In less than 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery of essential systems. All Microsoft Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to find local OST files (Microsoft Outlook Offline Data Files) on user desktop computers and laptops in order to recover email information. A not too old offline backup of the customerï¿½s financials/MRP systems made them able to restore these required applications back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk attack, the most important services were recovered quickly:
"For the most part, the assembly line operation showed little impact and we made all customer deliverables."
During the next couple of weeks key milestones in the recovery project were made through close collaboration between Progent engineers and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Server exceeding four million historical messages was spun up and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory Control capabilities were fully functional.
- A new Palo Alto 850 firewall was brought online.
- Most of the user desktops and notebooks were operational.
"A lot of what happened those first few days is nearly entirely a fog for me, but our team will not forget the commitment each of your team put in to help get our company back. Iï¿½ve been working together with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was a stunning achievement."
A possible enterprise-killing disaster was dodged due to top-tier professionals, a broad range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident described here could have been prevented with up-to-date cyber security solutions and security best practices, user and IT administrator training, and well thought out incident response procedures for information protection and applying software patches, the reality is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), Iï¿½m grateful for letting me get some sleep after we got through the most critical parts. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Recife a variety of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services include modern AI technology to uncover new variants of ransomware that can get past traditional signature-based anti-virus solutions.
For Recife 24x7 Ransomware Removal Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and offers a single platform to manage the complete malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent's consultants can also assist you to install and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS products automate and track your backup operations and allow transparent backup and fast recovery of important files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight DPS product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to provide centralized management and world-class protection for all your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a deeper layer of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity appliances like routers, firewalls, and access points plus servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating devices that need important updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent’s server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT personnel and your Progent engineering consultant so any looming issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you’re making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis tools to guard endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to address the entire threat lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Call Center: Support Desk Managed Services
Progent's Support Center managed services enable your IT team to outsource Call Center services to Progent or split activity for support services transparently between your in-house support resources and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a seamless supplement to your corporate support staff. User access to the Help Desk, provision of technical assistance, issue escalation, ticket generation and updates, efficiency metrics, and maintenance of the service database are consistent regardless of whether issues are resolved by your internal IT support resources, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Help Center services.
- Patch Management: Patch Management Services
Progent's support services for patch management provide organizations of any size a flexible and affordable solution for assessing, validating, scheduling, applying, and tracking updates to your dynamic information network. In addition to maximizing the protection and reliability of your computer network, Progent's patch management services free up time for your IT team to focus on line-of-business projects and tasks that derive the highest business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. Using 2FA, when you log into a protected online account and give your password you are asked to verify who you are on a unit that only you have and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized as this added means of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can register several verification devices. For more information about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services.