Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that represents an extinction-level danger for organizations poorly prepared for an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict havoc. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus more unnamed malware, not only encrypt on-line critical data but also infiltrate most configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, it can render automatic restore operations impossible and basically sets the entire system back to square one.
Getting back programs and information after a crypto-ransomware attack becomes a race against time as the targeted business fights to contain the damage and eradicate the ransomware and to resume business-critical operations. Since ransomware requires time to move laterally, penetrations are usually sprung on weekends and holidays, when successful penetrations may take more time to discover. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.
Progent provides an assortment of services for protecting businesses from ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with AI technology from SentinelOne to identify and extinguish zero-day threats automatically. Progent in addition offers the assistance of veteran ransomware recovery consultants with the skills and commitment to restore a breached environment as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed codes to decipher any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the essential parts of your Information Technology environment. Without the availability of essential information backups, this requires a wide complement of skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is completed.
For decades, Progent has offered expert IT services for businesses in Austin and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise gives Progent the ability to rapidly identify necessary systems and re-organize the surviving components of your IT environment after a ransomware penetration and assemble them into an operational network.
Progent's security team of experts utilizes top notch project management applications to orchestrate the complex recovery process. Progent knows the importance of working quickly and in concert with a customer's management and Information Technology team members to assign priority to tasks and to get essential systems back on line as fast as possible.
Customer Story: A Successful Ransomware Incident Restoration
A customer escalated to Progent after their network system was taken over by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, possibly adopting approaches exposed from the U.S. NSA organization. Ryuk targets specific companies with little room for disruption and is one of the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's backups had been online at the start of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.
"I cannot say enough about the help Progent gave us throughout the most fearful period of (our) company's survival. We may have had to pay the Hackers if it wasn't for the confidence the Progent experts afforded us. That you could get our e-mail and key applications back online sooner than seven days was beyond my wildest dreams. Each consultant I spoke to or texted at Progent was urgently focused on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the client to rapidly assess and prioritize the critical applications that had to be addressed to make it possible to resume company operations:
To get going, Progent followed AV/Malware Processes event mitigation best practices by halting lateral movement and clearing infected systems. Progent then began the steps of restoring Microsoft AD, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businesses' MRP system used Microsoft SQL, which requires Active Directory for access to the database.
- Windows Active Directory
- Exchange Server
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery on mission critical applications. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble intact OST data files (Outlook Email Off-Line Data Files) on team PCs to recover email information. A not too old off-line backup of the client's manufacturing systems made them able to return these vital services back online for users. Although a large amount of work remained to recover completely from the Ryuk damage, core services were returned to operations quickly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer orders."
During the next month important milestones in the recovery process were achieved in close collaboration between Progent engineers and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Exchange Server containing more than four million historical messages was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% operational.
- A new Palo Alto Networks 850 firewall was brought online.
- Ninety percent of the user workstations were being used by staff.
"A lot of what happened in the initial days is mostly a fog for me, but we will not soon forget the urgency all of you put in to help get our business back. I've entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a life saver."
A probable business-ending catastrophe was avoided due to results-oriented professionals, a broad spectrum of IT skills, and tight teamwork. Although in post mortem the ransomware virus attack described here could have been disabled with advanced security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get some sleep after we got over the initial push. Everyone did an fabulous job, and if any of your team is around the Chicago area, a great meal is on me!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Austin a range of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services utilize next-generation artificial intelligence capability to uncover new strains of crypto-ransomware that can escape detection by traditional signature-based security products.
For 24-Hour Austin Ransomware Remediation Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and offers a single platform to manage the entire malware attack progression including filtering, detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also assist you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and enable non-disruptive backup and fast restoration of critical files/folders, apps, images, plus virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter acts as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further layer of analysis for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, enhance and debug their connectivity appliances like switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept updated, copies and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating complex network management processes, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding devices that need critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning tools to guard endpoint devices and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. Progent ASM services protect local and cloud-based resources and offers a single platform to address the complete malware attack progression including protection, detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Desk: Help Desk Managed Services
Progent's Support Desk managed services permit your information technology group to offload Call Center services to Progent or split activity for Service Desk support transparently between your in-house network support staff and Progent's extensive pool of IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless extension of your in-house IT support team. End user interaction with the Help Desk, delivery of support services, problem escalation, ticket generation and tracking, performance metrics, and maintenance of the support database are cohesive whether issues are resolved by your internal support resources, by Progent, or both. Find out more about Progent's outsourced/shared Service Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide businesses of any size a versatile and affordable alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. Besides optimizing the security and reliability of your IT network, Progent's software/firmware update management services free up time for your IT staff to focus on more strategic initiatives and tasks that derive maximum business value from your network. Read more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Android, and other personal devices. With 2FA, when you log into a protected online account and enter your password you are asked to verify your identity via a unit that only you have and that uses a separate network channel. A wide selection of out-of-band devices can be utilized as this second means of ID validation including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may register several verification devices. To find out more about ProSight Duo identity validation services, go to Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of in-depth management reporting plug-ins designed to work with the leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.