Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses vulnerable to an attack. Different versions of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as additional as yet unnamed newcomers, not only do encryption of online files but also infect all configured system backups. Information synched to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, this can render automated restoration useless and basically sets the datacenter back to square one.
Getting back programs and information following a ransomware outage becomes a race against time as the targeted business fights to contain the damage and clear the virus and to restore mission-critical activity. Because ransomware needs time to spread, assaults are frequently launched on weekends, when successful penetrations are likely to take longer to detect. This multiplies the difficulty of promptly mobilizing and coordinating a capable response team.
Progent has a variety of support services for protecting enterprises from ransomware events. Among these are team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with machine learning technology from SentinelOne to discover and extinguish new cyber threats quickly. Progent in addition offers the services of experienced ransomware recovery professionals with the track record and commitment to rebuild a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware attack, even paying the ransom in cryptocurrency does not ensure that distant criminals will return the needed keys to decipher all your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the critical parts of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide complement of skills, professional team management, and the ability to work continuously until the recovery project is complete.
For decades, Progent has offered expert IT services for companies in San Bernardino and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience affords Progent the ability to efficiently understand important systems and consolidate the surviving parts of your IT system after a ransomware attack and assemble them into an operational network.
Progent's ransomware group deploys powerful project management applications to coordinate the complex recovery process. Progent knows the urgency of working swiftly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to put critical services back on line as soon as possible.
Customer Case Study: A Successful Ransomware Incident Response
A client contacted Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean government sponsored hackers, possibly using techniques leaked from the United States National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is one of the most profitable incarnations of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom (exceeding $200K) and praying for good luck, but in the end utilized Progent.
"I cannot thank you enough about the support Progent gave us throughout the most critical time of (our) businesses existence. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent team gave us. The fact that you could get our e-mail and critical servers back into operation in less than 1 week was incredible. Every single consultant I worked with or messaged at Progent was absolutely committed on getting us operational and was working 24 by 7 to bail us out."
Progent worked together with the client to rapidly assess and prioritize the mission critical areas that had to be addressed in order to continue company operations:
To begin, Progent followed ransomware event response industry best practices by isolating and cleaning up infected systems. Progent then began the process of restoring Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not operate without Active Directory, and the customer's accounting and MRP system used SQL Server, which depends on Active Directory for security authorization to the data.
- Active Directory
- MRP System
In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then initiated setup and hard drive recovery of key applications. All Exchange schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Folder Files) on staff workstations and laptops in order to recover email data. A recent off-line backup of the client's manufacturing systems made them able to restore these required services back servicing users. Although a lot of work needed to be completed to recover totally from the Ryuk damage, critical systems were returned to operations quickly:
"For the most part, the manufacturing operation showed little impact and we produced all customer deliverables."
Throughout the next couple of weeks critical milestones in the restoration process were achieved through close collaboration between Progent team members and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Exchange Server with over 4 million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100% functional.
- A new Palo Alto 850 firewall was brought on-line.
- Nearly all of the user desktops were being used by staff.
"A lot of what went on in the early hours is mostly a fog for me, but I will not forget the commitment each and every one of your team accomplished to help get our business back. I've been working with Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A possible business-killing disaster was evaded by results-oriented professionals, a broad array of knowledge, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware attack detailed here should have been prevented with current security solutions and recognized best practices, team training, and well thought out security procedures for data protection and applying software patches, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get some sleep after we made it through the most critical parts. All of you did an amazing job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in San Bernardino a range of online monitoring and security evaluation services to help you to reduce the threat from ransomware. These services include next-generation machine learning capability to detect zero-day strains of ransomware that are able to get past legacy signature-based security solutions.
For San Bernardino 24/7/365 Crypto Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-matching AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the entire malware attack lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that meets your organization's unique needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist you to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your data backup processes and allow non-disruptive backup and rapid recovery of critical files, applications, system images, and virtual machines. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide centralized control and world-class security for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of analysis for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, track, enhance and troubleshoot their networking appliances like switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration of almost all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming network management activities, WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, locating devices that need critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT staff and your Progent consultant so that any looming problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate up to half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based machine learning tools to guard endpoint devices and physical and virtual servers against modern malware attacks like ransomware and email phishing, which routinely escape legacy signature-based AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Help Desk: Call Center Managed Services
Progent's Help Desk services enable your information technology team to outsource Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your in-house network support staff and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a seamless supplement to your internal network support team. End user access to the Service Desk, delivery of technical assistance, escalation, trouble ticket generation and updates, performance measurement, and maintenance of the support database are cohesive whether issues are resolved by your core network support group, by Progent, or by a combination. Find out more about Progent's outsourced/shared Call Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide businesses of any size a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving information network. In addition to maximizing the security and reliability of your computer environment, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business projects and activities that deliver the highest business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, whenever you log into a protected application and give your password you are requested to verify who you are on a unit that only you possess and that uses a different network channel. A wide range of devices can be used for this added form of ID validation including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate several validation devices. For details about ProSight Duo identity authentication services, see Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of in-depth management reporting utilities designed to work with the industry's leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.