Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses poorly prepared for an assault. Different versions of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause destruction. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as additional as yet unnamed malware, not only encrypt on-line information but also infiltrate any accessible system backups. Files synchronized to cloud environments can also be ransomed. In a poorly designed system, it can render any recovery impossible and basically knocks the datacenter back to zero.
Restoring applications and data after a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to contain the damage and clear the virus and to resume business-critical activity. Since ransomware requires time to move laterally, attacks are frequently launched at night, when successful penetrations typically take more time to recognize. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified mitigation team.
Progent offers a variety of solutions for securing businesses from ransomware attacks. Among these are user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with artificial intelligence technology from SentinelOne to identify and suppress new cyber attacks rapidly. Progent also can provide the assistance of expert ransomware recovery consultants with the talent and perseverance to restore a breached system as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the codes to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the vital components of your IT environment. Without the availability of complete data backups, this requires a wide range of skills, professional team management, and the ability to work non-stop until the job is completed.
For decades, Progent has offered certified expert IT services for businesses in Seattle and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise affords Progent the capability to efficiently ascertain critical systems and organize the remaining components of your network system following a ransomware attack and assemble them into a functioning system.
Progent's security group utilizes powerful project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of working swiftly and in unison with a customer's management and IT team members to assign priority to tasks and to get critical systems back on-line as soon as possible.
Client Case Study: A Successful Ransomware Virus Restoration
A client escalated to Progent after their network system was crashed by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored hackers, possibly using technology exposed from the U.S. NSA organization. Ryuk goes after specific businesses with limited room for operational disruption and is among the most lucrative iterations of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. Most of the client's data protection had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I can't thank you enough in regards to the care Progent provided us during the most stressful period of (our) businesses existence. We would have paid the cybercriminals if not for the confidence the Progent group gave us. That you were able to get our e-mail and essential servers back into operation sooner than seven days was amazing. Each expert I talked with or e-mailed at Progent was absolutely committed on getting our system up and was working breakneck pace to bail us out."
Progent worked hand in hand the client to rapidly get our arms around and assign priority to the mission critical services that needed to be addressed in order to continue departmental functions:
To start, Progent followed Anti-virus incident mitigation best practices by stopping the spread and clearing up compromised systems. Progent then initiated the process of recovering Microsoft AD, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the customer's accounting and MRP software used Microsoft SQL Server, which needs Active Directory for authentication to the information.
- Active Directory (AD)
- Microsoft Exchange Email
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then completed setup and storage recovery of the most important systems. All Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Offline Data Files) on various PCs and laptops in order to recover mail messages. A recent off-line backup of the client's accounting/MRP systems made it possible to return these required applications back servicing users. Although a lot of work still had to be done to recover totally from the Ryuk event, the most important systems were returned to operations quickly:
"For the most part, the production operation was never shut down and we produced all customer deliverables."
During the next month important milestones in the restoration process were accomplished through tight cooperation between Progent consultants and the customer:
- Self-hosted web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100% recovered.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the desktop computers were fully operational.
"A lot of what happened those first few days is nearly entirely a haze for me, but my management will not soon forget the countless hours all of your team put in to help get our business back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This time was a stunning achievement."
A likely company-ending disaster was dodged by top-tier professionals, a wide spectrum of IT skills, and close teamwork. Although in post mortem the ransomware virus penetration detailed here should have been identified and stopped with up-to-date security technology and NIST Cybersecurity Framework best practices, user education, and well thought out security procedures for information backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has extensive experience in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for making it so I could get rested after we made it over the first week. All of you did an amazing effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Seattle a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning capability to uncover zero-day strains of ransomware that are able to get past legacy signature-based security solutions.
For Seattle 24x7 Ransomware Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to address the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also help your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and allow transparent backup and fast recovery of vital files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to deliver web-based control and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map, monitor, enhance and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that need critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system operating at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent consultant so all potential problems can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior-based analysis tools to guard endpoint devices as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and offers a unified platform to address the entire threat lifecycle including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Desk: Help Desk Managed Services
Progent's Support Center managed services permit your information technology staff to outsource Call Center services to Progent or split activity for support services seamlessly between your in-house support resources and Progent's extensive roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a seamless extension of your core support team. Client interaction with the Service Desk, provision of support, issue escalation, ticket creation and updates, efficiency measurement, and maintenance of the support database are cohesive whether issues are taken care of by your internal network support resources, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving IT network. Besides maximizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your in-house IT team to focus on more strategic initiatives and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a secured online account and enter your password you are asked to verify who you are via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be used for this second means of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. To find out more about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth reporting tools designed to integrate with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.