Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that poses an existential threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict damage. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as daily as yet unnamed newcomers, not only do encryption of online data but also infiltrate most configured system protection mechanisms. Data replicated to cloud environments can also be rendered useless. In a poorly designed system, it can render any restore operations useless and basically sets the network back to square one.
Restoring programs and data after a crypto-ransomware attack becomes a race against time as the targeted business struggles to stop the spread and cleanup the virus and to restore business-critical operations. Because ransomware requires time to move laterally, assaults are often launched on weekends and holidays, when attacks in many cases take more time to identify. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent provides a range of help services for protecting enterprises from ransomware events. These include team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security gateways with machine learning technology from SentinelOne to discover and suppress new threats quickly. Progent also can provide the services of experienced ransomware recovery engineers with the track record and commitment to rebuild a compromised network as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decipher all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the critical parts of your IT environment. Without access to full information backups, this calls for a wide complement of skill sets, top notch team management, and the ability to work continuously until the job is complete.
For two decades, Progent has made available certified expert IT services for businesses in St. Louis and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience gives Progent the skills to knowledgably understand critical systems and organize the remaining pieces of your IT system after a ransomware event and assemble them into an operational system.
Progent's ransomware team of experts has top notch project management systems to orchestrate the complex recovery process. Progent understands the importance of acting swiftly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to get key services back on line as soon as possible.
Business Case Study: A Successful Ransomware Attack Restoration
A business escalated to Progent after their network was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, suspected of adopting technology leaked from the U.S. National Security Agency. Ryuk goes after specific organizations with little room for operational disruption and is among the most profitable examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk event had frozen all essential operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot tell you enough in regards to the help Progent gave us throughout the most stressful time of (our) company's existence. We had little choice but to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent team provided us. That you were able to get our e-mail system and essential applications back faster than one week was something I thought impossible. Each person I got help from or messaged at Progent was amazingly focused on getting us operational and was working all day and night to bail us out."
Progent worked with the client to rapidly determine and assign priority to the key services that needed to be restored in order to resume company operations:
To start, Progent followed AV/Malware Processes event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the task of rebuilding Active Directory, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the customer's MRP system utilized Microsoft SQL, which depends on Windows AD for security authorization to the database.
- Active Directory
- Microsoft Exchange
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then initiated setup and hard drive recovery on mission critical servers. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on various PCs to recover email data. A not too old offline backup of the businesses accounting software made it possible to return these essential programs back online. Although a lot of work was left to recover fully from the Ryuk damage, core services were recovered quickly:
"For the most part, the production manufacturing operation was never shut down and we delivered all customer shipments."
Over the following few weeks key milestones in the restoration process were accomplished in tight collaboration between Progent consultants and the customer:
- Internal web applications were brought back up with no loss of data.
- The MailStore Server containing more than four million historical emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were completely recovered.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user PCs were being used by staff.
"A lot of what transpired during the initial response is nearly entirely a blur for me, but I will not forget the dedication all of the team put in to help get our business back. I've been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was the most impressive ever."
A possible company-ending disaster was dodged by results-oriented experts, a wide spectrum of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware virus incident detailed here could have been prevented with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, staff training, and well designed security procedures for data protection and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get rested after we got through the initial push. All of you did an amazing job, and if anyone is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in St. Louis a portfolio of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover new variants of ransomware that can escape detection by legacy signature-based security products.
For St. Louis 24/7 CryptoLocker Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the complete threat progression including filtering, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and enable non-disruptive backup and fast restoration of important files, applications, images, plus VMs. ProSight DPS lets you recover from data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to deliver web-based management and world-class protection for your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of inspection for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, enhance and debug their connectivity hardware such as routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating time-consuming management activities, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding devices that need critical updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by checking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning tools to defend endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-matching AV products. Progent ASM services safeguard local and cloud resources and provides a single platform to automate the entire threat progression including protection, infiltration detection, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Call Center managed services allow your IT staff to outsource Call Center services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house network support staff and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your internal network support staff. Client access to the Help Desk, provision of support services, problem escalation, ticket generation and updates, efficiency measurement, and management of the support database are consistent regardless of whether incidents are resolved by your in-house support organization, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Help Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of any size a flexible and cost-effective alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. Besides optimizing the protection and reliability of your computer network, Progent's software/firmware update management services allow your IT team to focus on more strategic initiatives and tasks that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a secured application and enter your password you are asked to verify your identity on a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized as this second means of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple validation devices. To find out more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of in-depth management reporting tools designed to integrate with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.