Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that represents an enterprise-level threat for organizations vulnerable to an attack. Versions of crypto-ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause havoc. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as more unnamed newcomers, not only encrypt on-line data but also infect any accessible system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be held hostage. In a poorly designed data protection solution, this can make automated recovery useless and effectively sets the datacenter back to square one.
Restoring services and information after a ransomware attack becomes a race against time as the targeted organization struggles to contain, remove the virus, and resume mission-critical activity. Because ransomware needs time to spread, penetrations are often sprung on weekends and holidays, when successful penetrations tend to take longer to notice. This compounds the difficulty of promptly marshalling and organizing a knowledgeable mitigation team.
Progent offers a variety of support services for securing businesses from crypto-ransomware attacks. These include user education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence capabilities from SentinelOne to identify and extinguish new cyber threats quickly. Progent also offers the services of experienced crypto-ransomware recovery engineers with the track record and commitment to reconstruct a compromised network as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware invasion, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt all your information. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The other path is to piece back together the key components of your IT environment. Without the availability of complete information backups, this requires a wide range of skills, professional team management, and the capability to work non-stop until the recovery project is completed.
For twenty years, Progent has provided certified expert IT services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience affords Progent the ability to knowledgably ascertain critical systems and re-organize the remaining components of your computer network system after a crypto-ransomware penetration and assemble them into a functioning network.
Progent's recovery team of experts uses best of breed project management systems to coordinate the complex restoration process. Progent knows the importance of working quickly and together with a client's management and Information Technology team members to assign priority to tasks and to get the most important applications back online as fast as possible.
Client Case Study: A Successful Ransomware Incident Restoration
A customer engaged Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, suspected of adopting techniques exposed from America's NSA organization. Ryuk seeks specific businesses with little or no room for disruption and is one of the most profitable iterations of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with about 500 staff members. The Ryuk attack had disabled all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but ultimately called Progent.
"I cannot speak enough in regards to the care Progent provided us during the most critical period of (our) company's life. We may have had to pay the cybercriminals except for the confidence the Progent team afforded us. The fact that you could get our messaging and important servers back sooner than 1 week was something I thought impossible. Each expert I spoke to or communicated with at Progent was totally committed on getting us back on-line and was working 24/7 on our behalf."
Progent worked hand in hand the client to rapidly identify and prioritize the key applications that had to be addressed in order to continue business functions:
- Active Directory (AD)
- Microsoft Exchange Email
- MRP System
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the steps of recovering Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not function without AD, and the businesses' MRP software leveraged SQL Server, which needs Active Directory services for authentication to the data.
Within 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform rebuilding and hard drive recovery on essential applications. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate local OST files (Outlook Email Off-Line Folder Files) on user PCs to recover email data. A recent offline backup of the client's accounting software made them able to return these vital services back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, the most important systems were restored rapidly:
"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer shipments."
Over the following few weeks important milestones in the restoration process were made through close cooperation between Progent team members and the customer:
- Internal web applications were returned to operation without losing any information.
- The MailStore Server containing more than 4 million historical emails was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were fully recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Most of the user desktops and notebooks were being used by staff.
"A lot of what transpired those first few days is mostly a blur for me, but my management will not soon forget the dedication all of the team put in to give us our company back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This situation was a life saver."
Conclusion
A probable business disaster was dodged through the efforts of dedicated experts, a wide spectrum of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident described here should have been identified and prevented with current security solutions and recognized best practices, staff education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, removal, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we got past the initial fire. Everyone did an impressive job, and if any of your team is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in San Diego UCSD a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to detect zero-day strains of ransomware that are able to get past traditional signature-based security solutions.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management personnel and your Progent engineering consultant so all looming problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, enhance and debug their connectivity appliances like switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating devices that require critical updates, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of real-time and in-depth reporting tools created to integrate with the leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with leading backup software providers to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and allow transparent backup and fast restoration of critical files, applications, images, plus VMs. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or application glitches. Managed backup services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to provide centralized control and world-class protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With 2FA, whenever you sign into a secured online account and enter your password you are asked to verify who you are via a unit that only you have and that is accessed using a separate network channel. A broad range of out-of-band devices can be utilized as this added form of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate several verification devices. For details about Duo identity validation services, refer to Duo MFA two-factor authentication services.
- Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
Progent's Support Desk managed services permit your IT staff to outsource Help Desk services to Progent or divide responsibilities for support services seamlessly between your internal support group and Progent's extensive roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your core support organization. Client access to the Service Desk, provision of support services, escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive whether issues are taken care of by your internal support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Call Center services.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior analysis tools to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV products. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to manage the complete malware attack progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can save up to half of time wasted trying to find vital information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving information network. Besides maximizing the security and functionality of your computer environment, Progent's software/firmware update management services permit your in-house IT staff to concentrate on more strategic initiatives and activities that derive the highest business value from your network. Read more about Progent's patch management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you prove compliance with government and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
For 24/7/365 San Diego UCSD Crypto Repair Consulting, contact Progent at 800-462-8800 or go to Contact Progent.