Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a modern cyberplague that presents an existential danger for businesses of all sizes unprepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent as yet unnamed malware, not only encrypt on-line data but also infiltrate any available system restores and backups. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, it can make automated recovery hopeless and basically knocks the datacenter back to square one.
Restoring applications and data after a ransomware outage becomes a race against the clock as the targeted organization fights to contain the damage, cleanup the ransomware, and resume enterprise-critical operations. Because ransomware takes time to spread, attacks are frequently sprung on weekends and holidays, when successful penetrations are likely to take longer to identify. This multiplies the difficulty of promptly assembling and organizing a capable mitigation team.
Progent has an assortment of help services for securing businesses from ransomware penetrations. These include team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with AI technology from SentinelOne to identify and disable zero-day cyber attacks rapidly. Progent also offers the services of expert ransomware recovery engineers with the talent and perseverance to rebuild a breached network as quickly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will return the needed codes to decipher any or all of your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The fallback is to piece back together the mission-critical parts of your Information Technology environment. Without access to essential system backups, this calls for a wide range of skills, professional team management, and the capability to work continuously until the task is done.
For decades, Progent has provided expert IT services for businesses throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience affords Progent the skills to rapidly identify necessary systems and re-organize the remaining pieces of your network environment following a ransomware event and assemble them into an operational system.
Progent's recovery team deploys best of breed project management tools to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and together with a client's management and IT staff to assign priority to tasks and to put the most important systems back on line as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Response
A client engaged Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state criminal gangs, possibly adopting algorithms leaked from the United States NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is one of the most profitable instances of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk penetration had paralyzed all business operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than $200K) and praying for good luck, but in the end made the decision to use Progent.
"I cannot thank you enough about the support Progent provided us during the most critical time of (our) businesses life. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent group afforded us. That you were able to get our messaging and essential servers back on-line faster than five days was incredible. Each staff member I spoke to or messaged at Progent was absolutely committed on getting our system up and was working 24 by 7 on our behalf."
Progent worked together with the client to rapidly identify and prioritize the critical services that needed to be addressed to make it possible to restart business functions:
- Active Directory (AD)
- Microsoft Exchange Server
- Financials/MRP
To begin, Progent followed Anti-virus event response best practices by isolating and clearing infected systems. Progent then started the work of bringing back online Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which needs Windows AD for access to the information.
Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then helped perform rebuilding and storage recovery on key systems. All Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Data Files) on user workstations to recover mail data. A not too old offline backup of the client's financials/MRP systems made it possible to recover these required programs back online. Although a large amount of work still had to be done to recover completely from the Ryuk virus, essential systems were recovered rapidly:
"For the most part, the production operation ran fairly normal throughout and we delivered all customer shipments."
During the following few weeks critical milestones in the restoration process were completed through tight collaboration between Progent consultants and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Server containing more than four million historical messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were fully restored.
- A new Palo Alto Networks 850 security appliance was deployed.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"So much of what happened during the initial response is mostly a fog for me, but I will not soon forget the care all of the team put in to give us our company back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was a stunning achievement."
Conclusion
A probable company-ending catastrophe was dodged through the efforts of results-oriented professionals, a broad spectrum of knowledge, and close collaboration. Although in hindsight the ransomware penetration detailed here could have been stopped with up-to-date security solutions and best practices, team education, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get rested after we made it through the first week. Everyone did an amazing effort, and if anyone is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Seattle a variety of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to uncover zero-day strains of crypto-ransomware that are able to get past traditional signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT personnel and your assigned Progent engineering consultant so all looming problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software delivers a unified, cloud-based solution for monitoring and managing your network, server, and desktop devices by offering an environment for streamlining common tedious tasks. These include health checking, update management, automated repairs, endpoint setup, backup and recovery, anti-virus response, remote access, built-in and custom scripts, asset inventory, endpoint status reports, and debugging assistance. When ProSight LAN Watch with NinjaOne RMM uncovers a serious issue, it sends an alert to your designated IT personnel and your assigned Progent consultant so that emerging problems can be fixed before they interfere with productivity. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, monitor, enhance and debug their connectivity appliances like switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of real-time and in-depth management reporting tools created to integrate with the industry's top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has partnered with leading backup software companies to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and enable non-disruptive backup and fast restoration of important files/folders, apps, system images, plus VMs. ProSight DPS helps you recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security companies to provide web-based control and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This reduces your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you sign into a secured online account and enter your password you are requested to verify who you are via a device that only you have and that uses a different network channel. A wide selection of devices can be utilized as this second form of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple validation devices. For more information about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services for access security.
- Outsourced/Co-managed Service Desk: Help Desk Managed Services
Progent's Help Center managed services enable your information technology group to outsource Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house support team and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth supplement to your in-house network support group. User access to the Service Desk, delivery of technical assistance, problem escalation, trouble ticket generation and tracking, performance metrics, and maintenance of the service database are cohesive whether incidents are resolved by your in-house support resources, by Progent, or both. Find out more about Progent's outsourced/shared Call Center services.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to defend endpoint devices and servers and VMs against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. Progent ASM services protect on-premises and cloud-based resources and provides a unified platform to automate the complete threat lifecycle including blocking, identification, containment, cleanup, and forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of any size a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. In addition to optimizing the protection and functionality of your IT environment, Progent's patch management services free up time for your in-house IT staff to concentrate on more strategic projects and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent accessible from a single control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent attention. Progent's consultants can also assist your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
For 24/7 Seattle Crypto Cleanup Services, call Progent at 800-462-8800 or go to Contact Progent.