Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a modern cyber pandemic that represents an enterprise-level threat for organizations vulnerable to an assault. Different versions of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict destruction. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent unnamed malware, not only do encryption of on-line critical data but also infiltrate all configured system protection mechanisms. Data replicated to cloud environments can also be encrypted. In a vulnerable system, it can make any restore operations useless and effectively sets the datacenter back to square one.
Getting back online applications and information following a ransomware attack becomes a race against time as the targeted organization fights to stop lateral movement and clear the virus and to restore enterprise-critical activity. Because ransomware requires time to move laterally, penetrations are often launched at night, when successful attacks are likely to take longer to notice. This multiplies the difficulty of promptly assembling and coordinating a qualified mitigation team.
Progent has a variety of support services for securing enterprises from crypto-ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning capabilities from SentinelOne to identify and disable day-zero threats automatically. Progent also provides the services of expert crypto-ransomware recovery consultants with the talent and commitment to restore a compromised environment as soon as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the codes to unencrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be around $13,000. The other path is to re-install the key components of your Information Technology environment. Absent access to full data backups, this requires a wide complement of skill sets, top notch team management, and the ability to work 24x7 until the recovery project is complete.
For two decades, Progent has made available professional Information Technology services for businesses in San Diego UCSD and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the ability to knowledgably understand important systems and re-organize the remaining pieces of your computer network system after a crypto-ransomware penetration and configure them into a functioning network.
Progent's ransomware team utilizes state-of-the-art project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of acting swiftly and together with a customer's management and IT team members to assign priority to tasks and to get key systems back on-line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Response
A client hired Progent after their organization was attacked by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, suspected of adopting techniques leaked from America's NSA organization. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with about 500 employees. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and praying for good luck, but ultimately called Progent.
"I cannot thank you enough in regards to the expertise Progent gave us during the most stressful time of (our) company's life. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our e-mail and key applications back online faster than five days was incredible. Each consultant I got help from or messaged at Progent was hell bent on getting our company operational and was working non-stop to bail us out."
Progent worked together with the client to rapidly get our arms around and assign priority to the most important services that had to be addressed to make it possible to continue departmental operations:
- Active Directory
- Microsoft Exchange
- Accounting/MRP
To start, Progent adhered to Anti-virus penetration response industry best practices by stopping the spread and disinfecting systems. Progent then began the work of restoring Microsoft AD, the key technology of enterprise networks built on Microsoft Windows technology. Exchange messaging will not operate without AD, and the client's financials and MRP software utilized Microsoft SQL, which depends on Active Directory services for security authorization to the database.
In less than 48 hours, Progent was able to restore Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of critical systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Folder Files) on user desktop computers in order to recover email information. A not too old offline backup of the client's accounting/ERP software made it possible to return these vital applications back available to users. Although major work needed to be completed to recover totally from the Ryuk event, the most important systems were returned to operations quickly:
"For the most part, the assembly line operation never missed a beat and we did not miss any customer orders."
During the next few weeks critical milestones in the restoration process were achieved through tight collaboration between Progent consultants and the client:
- In-house web applications were returned to operation without losing any information.
- The MailStore Server with over 4 million historical emails was brought online and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory functions were 100% functional.
- A new Palo Alto 850 security appliance was brought on-line.
- Most of the user desktops were being used by staff.
"A huge amount of what was accomplished in the initial days is mostly a blur for me, but we will not forget the urgency all of your team put in to give us our business back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."
Conclusion
A probable business-ending catastrophe was avoided due to top-tier professionals, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the ransomware penetration detailed here would have been identified and blocked with up-to-date cyber security systems and ISO/IEC 27001 best practices, team education, and well designed incident response procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for letting me get rested after we got past the initial push. Everyone did an incredible job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in San Diego UCSD a portfolio of online monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services include next-generation artificial intelligence capability to detect new strains of ransomware that are able to escape detection by traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely escape traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including protection, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with legal and industry information protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and allow transparent backup and fast recovery of critical files/folders, applications, images, plus virtual machines. ProSight DPS helps your business avoid data loss caused by hardware failures, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, enhance and debug their networking appliances such as routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating tedious management processes, WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that need important updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT management personnel and your Progent consultant so that any looming problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved easily to a different hardware solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior machine learning tools to guard endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus products. Progent ASM services safeguard local and cloud-based resources and offers a single platform to address the entire malware attack progression including protection, detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Center: Call Center Managed Services
Progent's Help Center managed services permit your information technology staff to outsource Call Center services to Progent or divide activity for Service Desk support seamlessly between your in-house network support group and Progent's nationwide roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent extension of your core IT support staff. Client interaction with the Service Desk, provision of technical assistance, issue escalation, trouble ticket creation and tracking, efficiency metrics, and maintenance of the service database are cohesive regardless of whether issues are resolved by your internal support resources, by Progent, or both. Read more about Progent's outsourced/shared Call Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of any size a flexible and affordable alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the security and reliability of your computer network, Progent's patch management services permit your in-house IT team to focus on more strategic initiatives and tasks that derive the highest business value from your information network. Read more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, when you sign into a protected application and enter your password you are asked to confirm who you are on a device that only you have and that is accessed using a separate network channel. A broad selection of devices can be utilized for this second means of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple validation devices. To find out more about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of real-time management reporting utilities created to integrate with the top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour San Diego UCSD Ransomware Recovery Services, contact Progent at 800-462-8800 or go to Contact Progent.