Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that poses an extinction-level danger for businesses unprepared for an attack. Versions of ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily unnamed malware, not only encrypt on-line critical data but also infiltrate all accessible system protection mechanisms. Data replicated to cloud environments can also be rendered useless. In a poorly architected data protection solution, it can render automated recovery hopeless and basically sets the datacenter back to square one.
Getting back online programs and data after a ransomware event becomes a race against the clock as the victim tries its best to stop lateral movement and eradicate the virus and to restore business-critical activity. Due to the fact that ransomware takes time to replicate, assaults are usually sprung during nights and weekends, when successful penetrations in many cases take longer to recognize. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable response team.
Progent makes available an assortment of solutions for protecting organizations from crypto-ransomware events. These include team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with AI technology from SentinelOne to detect and disable day-zero cyber attacks rapidly. Progent in addition can provide the assistance of expert ransomware recovery consultants with the skills and commitment to re-deploy a breached environment as soon as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed keys to decrypt any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the mission-critical elements of your IT environment. Without access to complete information backups, this requires a wide range of skill sets, professional project management, and the willingness to work continuously until the task is over.
For twenty years, Progent has made available certified expert Information Technology services for businesses in Vitória and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of expertise affords Progent the ability to knowledgably ascertain important systems and re-organize the surviving parts of your IT environment after a ransomware attack and configure them into an operational system.
Progent's ransomware group uses top notch project management systems to coordinate the complex recovery process. Progent appreciates the importance of acting quickly and together with a client's management and IT resources to assign priority to tasks and to get key services back on line as soon as possible.
Case Study: A Successful Ransomware Intrusion Recovery
A customer escalated to Progent after their organization was attacked by Ryuk ransomware. Ryuk is thought to have been developed by North Korean state hackers, suspected of adopting strategies exposed from America's NSA organization. Ryuk attacks specific organizations with limited room for operational disruption and is among the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area and has around 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing processes. Most of the client's system backups had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom (in excess of $200K) and hoping for good luck, but in the end made the decision to use Progent.
"I can't say enough in regards to the care Progent gave us throughout the most stressful time of (our) businesses life. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent team provided us. The fact that you could get our e-mail system and important applications back on-line sooner than 1 week was incredible. Every single staff member I interacted with or texted at Progent was absolutely committed on getting our system up and was working day and night on our behalf."
Progent worked with the customer to quickly get our arms around and prioritize the most important systems that had to be addressed in order to restart company functions:
- Active Directory (AD)
- Electronic Mail
- Accounting/MRP
To start, Progent followed ransomware event mitigation best practices by stopping lateral movement and removing active viruses. Progent then began the work of rebuilding Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Exchange email will not operate without AD, and the businesses' MRP applications leveraged SQL Server, which requires Windows AD for security authorization to the data.
In less than two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery of key servers. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team workstations and laptops in order to recover email messages. A recent off-line backup of the client's financials/MRP systems made them able to return these required programs back online for users. Although a large amount of work remained to recover fully from the Ryuk virus, essential systems were recovered quickly:
"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer orders."
Over the following month critical milestones in the recovery process were completed in tight cooperation between Progent engineers and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100% operational.
- A new Palo Alto 850 security appliance was brought on-line.
- Nearly all of the user PCs were operational.
"A lot of what happened those first few days is nearly entirely a haze for me, but I will not forget the dedication each and every one of your team accomplished to help get our business back. I've been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a Herculean accomplishment."
Conclusion
A possible business extinction disaster was averted by dedicated experts, a wide array of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here could have been identified and stopped with modern cyber security solutions and recognized best practices, staff education, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for letting me get some sleep after we got past the initial push. All of you did an impressive job, and if any of your guys is around the Chicago area, a great meal is on me!"
To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Vitória a range of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate modern AI technology to uncover new variants of ransomware that can escape detection by legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to automate the complete malware attack progression including filtering, identification, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection services offer ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore technology providers to create ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service. ProSight DPS services automate and track your backup operations and enable transparent backup and fast restoration of vital files, applications, images, plus virtual machines. ProSight DPS lets you recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or software bugs. Managed services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security companies to provide web-based management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of inspection for inbound email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, optimize and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network maps are kept current, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, locating appliances that require important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT personnel and your Progent engineering consultant so that all looming issues can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning tools to guard endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including filtering, identification, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Call Desk managed services allow your IT staff to offload Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house support group and Progent's nationwide pool of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth extension of your core IT support organization. End user interaction with the Help Desk, delivery of technical assistance, escalation, trouble ticket creation and updates, performance metrics, and maintenance of the service database are cohesive regardless of whether incidents are taken care of by your internal IT support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer businesses of any size a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides maximizing the protection and functionality of your computer network, Progent's software/firmware update management services permit your IT staff to focus on line-of-business projects and tasks that deliver the highest business value from your information network. Learn more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With 2FA, when you log into a secured application and enter your password you are asked to verify your identity via a unit that only you possess and that uses a separate network channel. A broad range of out-of-band devices can be used for this added form of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. To learn more about Duo identity validation services, visit Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth reporting plug-ins created to integrate with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Vitória 24x7 Ransomware Remediation Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.