Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different versions of ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to inflict destruction. Recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with frequent as yet unnamed malware, not only do encryption of on-line files but also infiltrate all configured system protection. Data synched to the cloud can also be corrupted. In a vulnerable data protection solution, this can make any restoration impossible and basically sets the network back to square one.
Restoring programs and data following a ransomware event becomes a race against time as the targeted business fights to contain the damage, clear the virus, and resume mission-critical activity. Since ransomware requires time to replicate, assaults are usually launched on weekends, when successful penetrations in many cases take longer to recognize. This multiplies the difficulty of quickly marshalling and coordinating an experienced response team.
Progent makes available an assortment of services for protecting enterprises from ransomware penetrations. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with AI capabilities from SentinelOne to identify and extinguish new threats automatically. Progent in addition can provide the services of seasoned crypto-ransomware recovery professionals with the skills and perseverance to re-deploy a compromised system as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will provide the keys to decrypt any of your files. Kaspersky ascertained that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The other path is to re-install the key components of your Information Technology environment. Without the availability of essential information backups, this calls for a wide complement of skill sets, well-coordinated project management, and the willingness to work continuously until the job is complete.
For decades, Progent has made available expert IT services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify important systems and consolidate the surviving pieces of your computer network system after a ransomware penetration and assemble them into a functioning system.
Progent's ransomware group deploys best of breed project management systems to orchestrate the complex restoration process. Progent knows the importance of acting rapidly and together with a customer's management and IT resources to assign priority to tasks and to get critical systems back on-line as fast as humanly possible.
Client Story: A Successful Ransomware Incident Response
A small business hired Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state sponsored cybercriminals, possibly using techniques exposed from America's National Security Agency. Ryuk attacks specific organizations with limited ability to sustain disruption and is one of the most profitable versions of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200K) and hoping for the best, but ultimately brought in Progent.
"I can't speak enough in regards to the support Progent provided us throughout the most fearful period of (our) businesses life. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent experts provided us. The fact that you could get our e-mail and key servers back online quicker than seven days was amazing. Every single expert I talked with or communicated with at Progent was absolutely committed on getting us operational and was working all day and night to bail us out."
Progent worked hand in hand the customer to rapidly assess and assign priority to the mission critical systems that had to be recovered to make it possible to continue business functions:
- Microsoft Active Directory
- Electronic Mail
- MRP System
To get going, Progent followed Anti-virus event response industry best practices by isolating and disinfecting systems. Progent then began the process of restoring Windows Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's accounting and MRP software utilized Microsoft SQL Server, which requires Windows AD for authentication to the databases.
Within two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then initiated reinstallations and storage recovery on critical systems. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find local OST files (Outlook Email Offline Folder Files) on team workstations in order to recover email messages. A not too old offline backup of the client's manufacturing systems made it possible to return these required applications back online for users. Although a large amount of work remained to recover fully from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the production operation was never shut down and we delivered all customer sales."
Throughout the following couple of weeks important milestones in the recovery project were completed in tight collaboration between Progent team members and the client:
- In-house web sites were brought back up without losing any data.
- The MailStore Exchange Server exceeding 4 million archived messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory modules were 100 percent operational.
- A new Palo Alto 850 firewall was deployed.
- Most of the user desktops and notebooks were operational.
"So much of what happened that first week is mostly a blur for me, but my team will not soon forget the countless hours all of your team accomplished to give us our company back. I've been working together with Progent for the past ten years, maybe more, and every time Progent has come through and delivered. This time was the most impressive ever."
Conclusion
A likely company-ending catastrophe was avoided due to hard-working experts, a wide array of subject matter expertise, and close collaboration. Although in hindsight the ransomware penetration detailed here should have been prevented with modern security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for allowing me to get rested after we made it through the initial push. All of you did an incredible effort, and if any of your team is around the Chicago area, dinner is on me!"
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Vitória a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include modern artificial intelligence technology to detect new variants of ransomware that are able to escape detection by legacy signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT staff and your Progent engineering consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-based platform for monitoring and managing your client-server infrastructure by offering an environment for performing common tedious tasks. These can include health checking, update management, automated repairs, endpoint setup, backup and restore, anti-virus response, remote access, standard and custom scripts, resource inventory, endpoint status reporting, and troubleshooting assistance. If ProSight LAN Watch with NinjaOne RMM identifies a serious incident, it transmits an alarm to your designated IT management staff and your Progent consultant so emerging problems can be taken care of before they interfere with your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, track, reconfigure and debug their networking hardware like routers and switches, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that need critical updates, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of in-depth reporting plug-ins designed to integrate with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and allow transparent backup and rapid restoration of vital files/folders, apps, images, and virtual machines. ProSight DPS lets you recover from data loss caused by hardware failures, natural disasters, fire, cyber attacks such as ransomware, human error, malicious employees, or software bugs. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these fully managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to deliver centralized control and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and keeps most threats from reaching your network firewall. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Android, and other personal devices. With 2FA, whenever you log into a protected online account and give your password you are asked to confirm your identity via a unit that only you have and that uses a separate network channel. A wide range of out-of-band devices can be used for this second form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. To find out more about Duo identity validation services, visit Duo MFA two-factor authentication services.
- Outsourced/Co-managed Service Center: Support Desk Managed Services
Progent's Help Center managed services enable your information technology group to offload Support Desk services to Progent or divide activity for Help Desk services seamlessly between your in-house network support resources and Progent's extensive pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth supplement to your corporate IT support team. User access to the Help Desk, provision of technical assistance, escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are consistent regardless of whether issues are resolved by your in-house IT support group, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Call Desk services.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to guard endpoints as well as servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including protection, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect data about your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to half of time wasted looking for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide businesses of any size a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. In addition to maximizing the protection and functionality of your computer environment, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business projects and activities that deliver maximum business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to automate the entire threat lifecycle including protection, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you prove compliance with legal and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also assist you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
For 24/7/365 Vitória Ransomware Recovery Support Services, call Progent at 800-462-8800 or go to Contact Progent.