Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as daily unnamed malware, not only encrypt on-line critical data but also infiltrate most accessible system backups. Files synched to the cloud can also be rendered useless. In a poorly architected system, it can render automatic restore operations useless and effectively sets the entire system back to square one.
Retrieving programs and information after a ransomware intrusion becomes a sprint against time as the victim tries its best to contain the damage and eradicate the virus and to restore business-critical operations. Since ransomware takes time to replicate, attacks are frequently launched during weekends and nights, when penetrations in many cases take more time to discover. This compounds the difficulty of quickly marshalling and organizing a knowledgeable response team.
Progent makes available a variety of services for securing organizations from ransomware attacks. Among these are team member training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence technology from SentinelOne to detect and quarantine zero-day cyber attacks rapidly. Progent in addition offers the assistance of expert ransomware recovery consultants with the talent and commitment to restore a breached network as urgently as possible.
Progent's Ransomware Recovery Services
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decipher any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the key components of your Information Technology environment. Absent access to complete system backups, this requires a broad range of skills, top notch project management, and the ability to work non-stop until the task is complete.
For twenty years, Progent has made available professional IT services for companies in Dallas and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience gives Progent the skills to rapidly understand critical systems and organize the surviving pieces of your IT environment following a ransomware event and configure them into an operational network.
Progent's ransomware team has best of breed project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of working swiftly and in unison with a client's management and IT team members to assign priority to tasks and to get critical applications back on-line as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer sought out Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state criminal gangs, possibly adopting approaches exposed from the United States National Security Agency. Ryuk targets specific businesses with limited ability to sustain disruption and is among the most profitable iterations of ransomware viruses. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with about 500 employees. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's data protection had been online at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately called Progent.
"I cannot say enough in regards to the support Progent gave us throughout the most stressful period of (our) company's survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts provided us. The fact that you could get our e-mail and critical servers back faster than one week was something I thought impossible. Every single expert I talked with or communicated with at Progent was amazingly focused on getting my company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to quickly understand and prioritize the mission critical areas that had to be recovered in order to restart company operations:
To begin, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then began the task of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange email will not operate without AD, and the businesses' MRP applications leveraged Microsoft SQL, which depends on Active Directory services for authentication to the database.
- Windows Active Directory
- Microsoft Exchange Email
Within 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then completed reinstallations and storage recovery on the most important applications. All Exchange schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Offline Folder Files) on team PCs and laptops to recover email messages. A recent offline backup of the customer's accounting/MRP systems made it possible to recover these required applications back on-line. Although significant work remained to recover fully from the Ryuk attack, essential systems were returned to operations rapidly:
"For the most part, the production line operation never missed a beat and we produced all customer deliverables."
During the following few weeks key milestones in the restoration project were completed in close cooperation between Progent consultants and the client:
- Internal web applications were restored without losing any information.
- The MailStore Exchange Server containing more than 4 million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory functions were completely restored.
- A new Palo Alto 850 firewall was installed and configured.
- Ninety percent of the user desktops and notebooks were back into operation.
"So much of what happened that first week is nearly entirely a blur for me, but my team will not soon forget the urgency each of your team put in to give us our business back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This situation was a life saver."
A likely enterprise-killing catastrophe was averted through the efforts of results-oriented professionals, a broad array of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here would have been identified and prevented with modern cyber security technology and security best practices, user training, and appropriate incident response procedures for information backup and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), I'm grateful for letting me get rested after we made it past the most critical parts. Everyone did an incredible effort, and if anyone that helped is around the Chicago area, dinner is my treat!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Dallas a range of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to uncover zero-day strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.
For Dallas 24-7 Ransomware Removal Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to address the complete threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a selection of subscription-based offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup operations and enable transparent backup and fast recovery of vital files, applications, images, plus virtual machines. ProSight DPS lets your business recover from data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks like ransomware, user error, ill-intentioned insiders, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security companies to provide centralized management and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of analysis for incoming email. For outbound email, the local gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their connectivity hardware like routers, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and displays the configuration of almost all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that require critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT staff and your assigned Progent consultant so that all looming problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning tools to guard endpoints as well as servers and VMs against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. Progent ASM services protect local and cloud resources and provides a single platform to manage the complete threat progression including blocking, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
Progent's Help Desk services enable your IT staff to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support staff and Progent's extensive roster of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your core network support team. Client access to the Service Desk, delivery of support, problem escalation, trouble ticket creation and updates, efficiency measurement, and management of the service database are cohesive regardless of whether issues are resolved by your core IT support group, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Service Center services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. Besides maximizing the protection and functionality of your computer environment, Progent's patch management services permit your IT staff to concentrate on line-of-business projects and activities that deliver the highest business value from your information network. Read more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a protected application and enter your password you are requested to verify your identity via a device that only you have and that is accessed using a separate network channel. A broad range of out-of-band devices can be used as this second means of ID validation such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may register several validation devices. To learn more about ProSight Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of in-depth management reporting utilities designed to work with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.