Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyberplague that presents an existential threat for organizations poorly prepared for an assault. Different versions of crypto-ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause destruction. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus additional unnamed viruses, not only encrypt on-line information but also infect most configured system backups. Files synched to cloud environments can also be rendered useless. In a poorly architected system, it can render automated restore operations useless and basically knocks the network back to zero.
Restoring programs and information after a ransomware intrusion becomes a sprint against the clock as the targeted business struggles to contain the damage and eradicate the crypto-ransomware and to restore mission-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are often launched during weekends and nights, when successful penetrations may take longer to notice. This multiplies the difficulty of rapidly mobilizing and organizing a qualified mitigation team.
Progent provides a range of services for securing enterprises from crypto-ransomware events. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security solutions with artificial intelligence capabilities from SentinelOne to discover and suppress day-zero cyber threats quickly. Progent also can provide the services of veteran ransomware recovery consultants with the track record and perseverance to reconstruct a compromised network as soon as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the key components of your IT environment. Without the availability of full system backups, this calls for a wide range of IT skills, well-coordinated team management, and the willingness to work continuously until the task is completed.
For decades, Progent has provided professional IT services for businesses in St. Louis and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of experience gives Progent the skills to knowledgably ascertain critical systems and re-organize the surviving pieces of your computer network environment after a crypto-ransomware penetration and configure them into an operational system.
Progent's security group deploys powerful project management applications to coordinate the complex recovery process. Progent understands the importance of working rapidly and together with a client's management and Information Technology team members to prioritize tasks and to put essential services back online as soon as possible.
Customer Case Study: A Successful Ransomware Virus Response
A customer hired Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored criminal gangs, possibly using techniques leaked from the United States NSA organization. Ryuk seeks specific companies with limited tolerance for operational disruption and is among the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but ultimately called Progent.
"I cannot tell you enough about the support Progent gave us throughout the most stressful time of (our) company's life. We may have had to pay the criminal gangs if not for the confidence the Progent experts provided us. That you were able to get our e-mail and important servers back on-line sooner than seven days was beyond my wildest dreams. Each expert I talked with or e-mailed at Progent was absolutely committed on getting us back on-line and was working 24/7 to bail us out."
Progent worked with the customer to rapidly assess and assign priority to the mission critical elements that needed to be restored in order to restart departmental operations:
To begin, Progent followed ransomware incident mitigation best practices by stopping the spread and clearing infected systems. Progent then began the steps of bringing back online Microsoft AD, the core of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the businesses' accounting and MRP system utilized SQL Server, which needs Active Directory services for access to the information.
- Microsoft Active Directory
- Microsoft Exchange
Within two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then accomplished reinstallations and storage recovery of critical systems. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on team desktop computers to recover email data. A not too old off-line backup of the customer's financials/MRP software made them able to return these required programs back servicing users. Although major work was left to recover fully from the Ryuk virus, the most important systems were recovered rapidly:
"For the most part, the production operation showed little impact and we produced all customer sales."
Over the following few weeks important milestones in the recovery process were completed through tight collaboration between Progent consultants and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were completely operational.
- A new Palo Alto 850 security appliance was brought online.
- Ninety percent of the user desktops and notebooks were fully operational.
"So much of what happened in the early hours is mostly a haze for me, but my management will not soon forget the dedication each and every one of your team put in to give us our business back. I have trusted Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This situation was no exception but maybe more Herculean."
A probable company-ending catastrophe was averted through the efforts of top-tier experts, a broad spectrum of knowledge, and close teamwork. Although in retrospect the ransomware virus incident detailed here should have been identified and disabled with advanced cyber security solutions and NIST Cybersecurity Framework best practices, user education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for making it so I could get rested after we got over the initial push. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in St. Louis a variety of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services utilize next-generation AI technology to uncover new variants of ransomware that can escape detection by traditional signature-based anti-virus products.
For 24-7 St. Louis CryptoLocker Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including protection, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent's consultants can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has partnered with advanced backup technology providers to create ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and allow non-disruptive backup and fast recovery of vital files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural calamities, fire, malware such as ransomware, user error, malicious employees, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide centralized control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, track, optimize and debug their connectivity hardware like switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating appliances that need important software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT personnel and your Progent consultant so all potential problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can eliminate up to half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis tools to guard endpoints and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the entire malware attack progression including protection, identification, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Support Desk services permit your information technology staff to outsource Support Desk services to Progent or divide activity for support services transparently between your in-house support group and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your in-house IT support resources. Client access to the Help Desk, delivery of support services, problem escalation, ticket generation and tracking, efficiency measurement, and management of the service database are cohesive whether incidents are resolved by your internal IT support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Call Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of any size a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic IT system. In addition to optimizing the protection and reliability of your IT network, Progent's patch management services permit your in-house IT team to focus on more strategic projects and tasks that derive maximum business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Android, and other personal devices. Using Duo 2FA, when you log into a protected online account and enter your password you are asked to confirm your identity on a unit that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be used for this added form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several verification devices. To find out more about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding line of real-time and in-depth management reporting utilities designed to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.