Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that represents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict harm. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with daily unnamed viruses, not only encrypt on-line files but also infiltrate most accessible system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, it can render automated recovery impossible and effectively knocks the entire system back to square one.
Getting back on-line applications and data after a ransomware outage becomes a sprint against time as the victim tries its best to contain, cleanup the crypto-ransomware, and resume enterprise-critical operations. Since ransomware requires time to replicate, attacks are often sprung during nights and weekends, when penetrations typically take longer to notice. This compounds the difficulty of quickly assembling and coordinating an experienced mitigation team.
Progent offers a variety of help services for securing enterprises from ransomware events. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with machine learning capabilities from SentinelOne to detect and disable new threats automatically. Progent in addition provides the services of experienced ransomware recovery professionals with the skills and commitment to rebuild a compromised system as soon as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that distant criminals will return the keys to decipher any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom can be in the millions. The other path is to re-install the vital elements of your IT environment. Without the availability of full data backups, this calls for a wide range of skill sets, professional team management, and the willingness to work 24x7 until the job is done.
For decades, Progent has made available expert Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify necessary systems and organize the surviving parts of your IT system following a crypto-ransomware penetration and assemble them into an operational system.
Progent's ransomware team has powerful project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of working quickly and in concert with a customer's management and Information Technology team members to prioritize tasks and to put essential applications back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A customer hired Progent after their network system was crashed by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state hackers, possibly using algorithms leaked from America's National Security Agency. Ryuk goes after specific companies with limited tolerance for operational disruption and is among the most lucrative examples of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end utilized Progent.
"I can't thank you enough in regards to the expertise Progent gave us during the most stressful time of (our) company's existence. We would have paid the hackers behind this attack if not for the confidence the Progent group gave us. The fact that you could get our messaging and critical applications back in less than one week was beyond my wildest dreams. Every single expert I interacted with or communicated with at Progent was laser focused on getting our system up and was working non-stop on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the essential services that had to be addressed to make it possible to restart business operations:
- Microsoft Active Directory
- Microsoft Exchange
- Accounting/MRP
To begin, Progent adhered to Anti-virus event mitigation best practices by stopping the spread and performing virus removal steps. Progent then began the task of bringing back online Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businesses' accounting and MRP software leveraged Microsoft SQL, which requires Windows AD for authentication to the database.
Within two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then performed rebuilding and hard drive recovery of mission critical servers. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Offline Data Files) on team PCs to recover mail information. A not too old off-line backup of the businesses accounting/MRP systems made it possible to restore these essential programs back online. Although a lot of work still had to be done to recover totally from the Ryuk event, core services were restored quickly:
"For the most part, the production operation showed little impact and we made all customer sales."
During the next couple of weeks important milestones in the recovery process were completed through close collaboration between Progent consultants and the customer:
- In-house web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and available for users.
- CRM/Orders/Invoicing/AP/AR/Inventory functions were 100% recovered.
- A new Palo Alto 850 firewall was brought online.
- Ninety percent of the desktops and laptops were back into operation.
"So much of what happened in the early hours is nearly entirely a fog for me, but we will not forget the urgency each of the team accomplished to help get our company back. I have entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."
Conclusion
A possible business-killing catastrophe was dodged by hard-working experts, a wide range of knowledge, and close collaboration. Although upon completion of forensics the ransomware virus penetration detailed here could have been identified and blocked with advanced cyber security systems and security best practices, staff education, and appropriate security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for allowing me to get some sleep after we made it past the most critical parts. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in St. Louis a variety of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate next-generation machine learning technology to detect zero-day variants of ransomware that can get past traditional signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to address the entire malware attack progression including filtering, detection, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP environment that meets your organization's specific needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent can also help your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services, a portfolio of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup operations and allow transparent backup and fast restoration of important files, apps, system images, and VMs. ProSight DPS helps you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized control and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, monitor, reconfigure and debug their connectivity hardware like switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, finding appliances that need important software patches, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network running efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so all potential problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect information about your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to defend endpoint devices as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based AV tools. Progent ASM services protect local and cloud resources and offers a unified platform to address the entire malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Call Center: Call Center Managed Services
Progent's Support Center managed services allow your information technology group to offload Support Desk services to Progent or divide activity for support services seamlessly between your in-house support group and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your corporate support group. End user interaction with the Service Desk, delivery of technical assistance, issue escalation, ticket creation and tracking, performance measurement, and management of the support database are consistent whether issues are taken care of by your corporate IT support group, by Progent, or both. Find out more about Progent's outsourced/shared Help Desk services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and documenting updates to your dynamic information network. Besides optimizing the protection and reliability of your computer network, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and activities that derive the highest business value from your information network. Read more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and give your password you are asked to verify who you are on a unit that only you have and that uses a different network channel. A wide selection of devices can be used as this added means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can register multiple validation devices. To find out more about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time and in-depth management reporting plug-ins created to integrate with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7 St. Louis Ransomware Cleanup Support Services, call Progent at 800-462-8800 or go to Contact Progent.