Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses of all sizes unprepared for an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus additional as yet unnamed malware, not only encrypt on-line data files but also infect any available system backups. Files synchronized to the cloud can also be encrypted. In a poorly designed environment, this can render automated restoration hopeless and basically sets the entire system back to zero.
Retrieving programs and data after a ransomware intrusion becomes a race against the clock as the victim tries its best to stop the spread and remove the ransomware and to resume business-critical activity. Since crypto-ransomware needs time to replicate, attacks are often launched during nights and weekends, when successful attacks tend to take longer to uncover. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.
Progent has a variety of services for protecting enterprises from ransomware penetrations. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to discover and suppress new threats quickly. Progent also provides the services of seasoned ransomware recovery consultants with the skills and perseverance to restore a breached system as soon as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to decrypt any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the essential parts of your Information Technology environment. Without the availability of essential information backups, this calls for a broad complement of skills, well-coordinated team management, and the capability to work continuously until the job is finished.
For two decades, Progent has provided professional IT services for companies in Recife and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably understand critical systems and re-organize the surviving pieces of your computer network environment following a crypto-ransomware attack and rebuild them into a functioning system.
Progent's ransomware team has top notch project management applications to coordinate the complicated restoration process. Progent appreciates the urgency of working quickly and in concert with a customer's management and Information Technology team members to prioritize tasks and to get essential services back online as fast as possible.
Client Case Study: A Successful Ransomware Incident Recovery
A client escalated to Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly adopting techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with limited room for operational disruption and is one of the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago and has around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I can't speak enough in regards to the expertise Progent gave us throughout the most critical period of (our) businesses existence. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent team provided us. That you could get our e-mail and important servers back into operation in less than seven days was beyond my wildest dreams. Every single expert I interacted with or messaged at Progent was absolutely committed on getting our system up and was working breakneck pace to bail us out."
Progent worked hand in hand the client to quickly assess and prioritize the essential applications that needed to be restored to make it possible to continue business functions:
- Microsoft Active Directory
- Microsoft Exchange
- Financials/MRP
To get going, Progent adhered to AV/Malware Processes penetration response best practices by isolating and clearing infected systems. Progent then started the process of bringing back online Windows Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the customer's accounting and MRP system used Microsoft SQL Server, which depends on Active Directory services for authentication to the information.
Within 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of key applications. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate local OST files (Outlook Off-Line Folder Files) on team workstations and laptops in order to recover mail data. A recent off-line backup of the client's financials/ERP systems made them able to restore these essential applications back online for users. Although major work was left to recover totally from the Ryuk attack, essential systems were restored quickly:
"For the most part, the manufacturing operation showed little impact and we produced all customer shipments."
During the next month key milestones in the restoration process were achieved in close collaboration between Progent consultants and the customer:
- In-house web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was spun up and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory functions were 100 percent restored.
- A new Palo Alto 850 firewall was installed.
- Most of the desktop computers were being used by staff.
"A huge amount of what occurred those first few days is mostly a blur for me, but we will not forget the countless hours each of you put in to help get our company back. I've been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."
Conclusion
A possible business extinction catastrophe was evaded by top-tier professionals, a wide range of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here should have been identified and blocked with modern cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we made it past the first week. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Recife a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services incorporate modern machine learning capability to uncover zero-day strains of ransomware that can get past legacy signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to address the complete malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer economical in-depth security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and enable non-disruptive backup and fast restoration of critical files, apps, system images, plus VMs. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or application glitches. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to deliver web-based management and world-class protection for your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding devices that require critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so all looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By cleaning up and organizing your IT documentation, you can eliminate up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning tools to guard endpoint devices as well as servers and VMs against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a unified platform to address the entire threat lifecycle including filtering, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Help Center managed services permit your IT staff to outsource Help Desk services to Progent or divide activity for support services transparently between your in-house network support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your in-house network support resources. User access to the Service Desk, provision of support, escalation, trouble ticket generation and updates, performance metrics, and maintenance of the service database are cohesive whether incidents are resolved by your internal support group, by Progent, or by a combination. Read more about Progent's outsourced/shared Help Center services.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. Besides maximizing the protection and functionality of your IT network, Progent's patch management services allow your in-house IT team to focus on line-of-business projects and activities that derive the highest business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification on Apple iOS, Android, and other personal devices. Using 2FA, whenever you log into a secured online account and enter your password you are requested to verify who you are via a unit that only you have and that is accessed using a different network channel. A broad selection of devices can be used as this added means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can designate multiple validation devices. To learn more about ProSight Duo identity validation services, visit Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time management reporting tools designed to work with the industry's top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Recife Crypto-Ransomware Remediation Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.