Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses unprepared for an assault. Different iterations of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause harm. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent as yet unnamed viruses, not only do encryption of on-line files but also infect most configured system protection. Files replicated to cloud environments can also be ransomed. In a vulnerable environment, this can make automatic restoration useless and basically sets the entire system back to square one.
Recovering programs and information following a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and clear the ransomware and to resume mission-critical activity. Since crypto-ransomware requires time to replicate, assaults are frequently sprung on weekends, when successful penetrations tend to take more time to recognize. This compounds the difficulty of promptly marshalling and orchestrating a qualified response team.
Progent makes available a variety of services for securing organizations from crypto-ransomware attacks. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with artificial intelligence technology from SentinelOne to detect and quarantine zero-day cyber attacks quickly. Progent also can provide the assistance of seasoned ransomware recovery professionals with the track record and perseverance to restore a compromised system as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decipher all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the vital parts of your IT environment. Absent the availability of essential data backups, this calls for a broad complement of IT skills, professional project management, and the capability to work continuously until the recovery project is finished.
For two decades, Progent has offered certified expert Information Technology services for businesses in Curitiba and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise affords Progent the skills to efficiently determine necessary systems and integrate the surviving parts of your computer network system after a crypto-ransomware event and assemble them into a functioning network.
Progent's recovery team of experts utilizes state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of acting swiftly and in concert with a client's management and IT team members to assign priority to tasks and to put critical systems back online as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A customer contacted Progent after their network system was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state criminal gangs, suspected of using strategies leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little or no tolerance for operational disruption and is among the most lucrative iterations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has around 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.
"I cannot speak enough in regards to the help Progent gave us during the most critical time of (our) company's survival. We most likely would have paid the cybercriminals if not for the confidence the Progent group afforded us. The fact that you could get our messaging and production applications back faster than five days was earth shattering. Every single consultant I talked with or texted at Progent was hell bent on getting us back on-line and was working non-stop to bail us out."
Progent worked together with the customer to quickly determine and prioritize the essential services that had to be recovered in order to resume departmental operations:
- Microsoft Active Directory
- Microsoft Exchange Email
- Accounting/MRP
To get going, Progent followed Anti-virus event mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the work of bringing back online Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the businesses' accounting and MRP software used SQL Server, which requires Active Directory for authentication to the information.
Within two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then performed rebuilding and storage recovery on critical servers. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Offline Folder Files) on various PCs to recover email messages. A not too old offline backup of the client's financials/ERP software made it possible to restore these essential programs back on-line. Although significant work remained to recover completely from the Ryuk virus, the most important services were restored rapidly:
"For the most part, the production line operation was never shut down and we did not miss any customer deliverables."
Over the following month critical milestones in the restoration project were achieved in tight collaboration between Progent engineers and the customer:
- In-house web applications were brought back up without losing any information.
- The MailStore Server exceeding four million archived messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory functions were 100 percent operational.
- A new Palo Alto Networks 850 firewall was set up.
- Ninety percent of the desktop computers were back into operation.
"So much of what happened those first few days is mostly a blur for me, but our team will not forget the urgency each of you accomplished to help get our company back. I've utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."
Conclusion
A likely business-ending catastrophe was dodged by top-tier professionals, a broad array of IT skills, and close teamwork. Although in retrospect the ransomware virus penetration detailed here would have been identified and blocked with current cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well designed security procedures for data protection and applying software patches, the fact is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thanks very much for allowing me to get some sleep after we got past the first week. Everyone did an impressive effort, and if any of your team is around the Chicago area, dinner is my treat!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Curitiba a variety of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence capability to uncover new strains of crypto-ransomware that can evade traditional signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection managed services offer economical in-depth security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within one agent managed from a single console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your organization's specific needs and that allows you demonstrate compliance with government and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup software providers to produce ProSight Data Protection Services, a selection of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup processes and allow non-disruptive backup and rapid recovery of vital files, apps, system images, and virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, user error, malicious employees, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to deliver centralized control and world-class protection for your email traffic. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that stays within your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, enhance and troubleshoot their connectivity hardware like switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration of virtually all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating complex network management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, locating devices that require critical updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network running efficiently by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management staff and your assigned Progent consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based machine learning tools to guard endpoint devices and servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to address the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Call Center managed services permit your information technology group to offload Help Desk services to Progent or split responsibilities for support services seamlessly between your in-house support team and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a transparent extension of your corporate network support organization. End user access to the Service Desk, provision of technical assistance, escalation, trouble ticket creation and updates, performance metrics, and management of the service database are consistent whether issues are taken care of by your corporate IT support staff, by Progent's team, or both. Find out more about Progent's outsourced/shared Service Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer organizations of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking updates to your dynamic information system. Besides optimizing the security and reliability of your IT environment, Progent's software/firmware update management services free up time for your in-house IT team to focus on line-of-business initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification with iOS, Android, and other personal devices. Using Duo 2FA, when you log into a secured application and give your password you are asked to confirm your identity on a unit that only you have and that uses a separate network channel. A broad selection of out-of-band devices can be utilized as this added form of authentication including a smartphone or wearable, a hardware token, a landline telephone, etc. You can register multiple verification devices. For more information about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of real-time and in-depth management reporting tools designed to work with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Curitiba 24-Hour Ransomware Removal Help, call Progent at 800-462-8800 or go to Contact Progent.