Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations vulnerable to an attack. Multiple generations of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as daily unnamed newcomers, not only encrypt online data files but also infect all configured system protection. Data synched to cloud environments can also be encrypted. In a vulnerable data protection solution, it can make automated restoration hopeless and basically knocks the entire system back to zero.
Getting back online applications and information following a ransomware event becomes a sprint against the clock as the targeted organization fights to contain and clear the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to spread, penetrations are usually launched on weekends, when attacks may take more time to recognize. This compounds the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.
Progent provides a variety of support services for securing businesses from crypto-ransomware penetrations. Among these are user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to identify and suppress zero-day cyber attacks intelligently. Progent also offers the services of experienced ransomware recovery engineers with the skills and commitment to reconstruct a breached network as rapidly as possible.
Progent's Ransomware Restoration Help
Soon after a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt any of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to piece back together the essential parts of your IT environment. Absent the availability of full system backups, this calls for a wide complement of skills, well-coordinated team management, and the ability to work non-stop until the recovery project is completed.
For twenty years, Progent has provided professional Information Technology services for businesses in San Bernardino and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise affords Progent the ability to rapidly understand necessary systems and integrate the remaining components of your computer network system following a ransomware attack and rebuild them into a functioning system.
Progent's ransomware team of experts uses state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent appreciates the importance of working rapidly and together with a client's management and IT staff to assign priority to tasks and to get essential systems back on line as fast as possible.
Customer Story: A Successful Ransomware Intrusion Recovery
A small business engaged Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, suspected of adopting technology exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with little or no tolerance for operational disruption and is among the most lucrative examples of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of $200,000) and praying for good luck, but ultimately utilized Progent.
"I can't thank you enough in regards to the support Progent gave us during the most fearful period of (our) businesses life. We may have had to pay the Hackers except for the confidence the Progent team provided us. The fact that you could get our messaging and production applications back online in less than five days was something I thought impossible. Each person I interacted with or texted at Progent was urgently focused on getting us back on-line and was working 24 by 7 on our behalf."
Progent worked with the client to quickly identify and prioritize the mission critical applications that had to be restored in order to resume business functions:
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then started the task of recovering Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not function without AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which requires Active Directory for access to the data.
- Active Directory (AD)
- Microsoft Exchange Server
Within 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then assisted with setup and storage recovery on mission critical systems. All Exchange ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on various PCs in order to recover email messages. A not too old offline backup of the client's accounting systems made them able to recover these vital services back on-line. Although significant work was left to recover totally from the Ryuk attack, critical systems were restored quickly:
"For the most part, the manufacturing operation did not miss a beat and we delivered all customer sales."
Throughout the next couple of weeks critical milestones in the restoration project were made in close collaboration between Progent consultants and the customer:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100% recovered.
- A new Palo Alto 850 security appliance was installed.
- 90% of the user desktops and notebooks were being used by staff.
"A lot of what went on during the initial response is nearly entirely a fog for me, but we will not forget the commitment all of the team put in to give us our company back. I've been working together with Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This situation was a testament to your capabilities."
A potential business-ending catastrophe was dodged by results-oriented experts, a broad range of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware attack described here could have been identified and prevented with current security technology and recognized best practices, user education, and well thought out security procedures for backup and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), I'm grateful for making it so I could get rested after we got through the initial fire. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in San Bernardino a portfolio of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence technology to uncover zero-day variants of ransomware that can evade legacy signature-based security solutions.
For San Bernardino 24-Hour Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to manage the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies packaged within one agent managed from a single console. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with government and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also assist your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with leading backup technology providers to create ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS services automate and track your data backup operations and allow transparent backup and rapid recovery of critical files, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, human mistakes, malicious employees, or application bugs. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security vendors to deliver web-based control and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, enhance and troubleshoot their networking hardware like switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, finding appliances that require critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT staff and your assigned Progent consultant so that all looming issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can save as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether you're making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior analysis tools to defend endpoint devices and servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to address the entire malware attack lifecycle including filtering, identification, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Call Center: Support Desk Managed Services
Progent's Call Desk managed services permit your IT group to outsource Call Center services to Progent or split responsibilities for support services transparently between your internal support staff and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth extension of your internal support organization. End user interaction with the Help Desk, delivery of support, issue escalation, ticket creation and updates, efficiency metrics, and maintenance of the service database are consistent whether issues are taken care of by your in-house support organization, by Progent's team, or both. Find out more about Progent's outsourced/shared Service Center services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer organizations of all sizes a versatile and affordable solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. Besides optimizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic projects and tasks that deliver maximum business value from your information network. Find out more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo authentication service plans utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Android, and other personal devices. With Duo 2FA, when you sign into a secured application and give your password you are requested to confirm who you are via a device that only you have and that uses a different network channel. A broad range of out-of-band devices can be used as this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. To find out more about Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of real-time and in-depth reporting tools designed to work with the industry's top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.