Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations unprepared for an assault. Versions of crypto-ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict harm. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as frequent as yet unnamed malware, not only encrypt online data files but also infect most available system protection mechanisms. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can make automatic restoration hopeless and basically sets the entire system back to zero.
Restoring programs and data after a ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain and remove the ransomware and to restore business-critical activity. Due to the fact that ransomware takes time to replicate, assaults are usually sprung at night, when attacks typically take more time to recognize. This compounds the difficulty of promptly assembling and coordinating a capable response team.
Progent makes available an assortment of support services for securing organizations from ransomware penetrations. These include user education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security solutions with AI technology from SentinelOne to discover and extinguish new cyber threats quickly. Progent in addition can provide the assistance of expert ransomware recovery consultants with the track record and commitment to restore a breached environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed codes to decipher any or all of your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Absent access to complete system backups, this requires a broad complement of skills, top notch project management, and the capability to work non-stop until the job is over.
For twenty years, Progent has provided certified expert Information Technology services for companies in Dayton and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise affords Progent the skills to efficiently understand important systems and re-organize the remaining components of your network environment after a ransomware attack and assemble them into a functioning system.
Progent's security team of experts uses best of breed project management systems to orchestrate the complex restoration process. Progent appreciates the urgency of acting quickly and in unison with a client's management and Information Technology staff to assign priority to tasks and to put the most important applications back online as soon as possible.
Client Case Study: A Successful Ransomware Incident Response
A client contacted Progent after their company was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, possibly using approaches exposed from the United States NSA organization. Ryuk goes after specific organizations with limited room for disruption and is among the most profitable versions of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with about 500 employees. The Ryuk event had paralyzed all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the attack and were encrypted. The client considered paying the ransom demand (more than $200,000) and praying for good luck, but in the end called Progent.
"I can't thank you enough about the help Progent gave us during the most critical period of (our) businesses survival. We may have had to pay the Hackers if not for the confidence the Progent experts afforded us. That you were able to get our e-mail and important applications back online in less than 1 week was incredible. Every single expert I got help from or messaged at Progent was hell bent on getting us restored and was working breakneck pace to bail us out."
Progent worked together with the client to quickly determine and assign priority to the key areas that needed to be addressed in order to continue company functions:
To start, Progent adhered to AV/Malware Processes event mitigation best practices by halting the spread and removing active viruses. Progent then began the steps of restoring Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's accounting and MRP applications utilized Microsoft SQL, which requires Windows AD for access to the data.
- Windows Active Directory
- Microsoft Exchange
Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then performed rebuilding and hard drive recovery of key systems. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to collect local OST files (Outlook Email Off-Line Folder Files) on various workstations to recover mail data. A recent off-line backup of the customer's financials/ERP systems made them able to restore these vital applications back online. Although a large amount of work remained to recover completely from the Ryuk damage, the most important services were restored quickly:
"For the most part, the assembly line operation was never shut down and we delivered all customer sales."
Throughout the following few weeks key milestones in the recovery project were made through close collaboration between Progent team members and the customer:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought online and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Nearly all of the desktops and laptops were operational.
"So much of what happened that first week is nearly entirely a blur for me, but I will not forget the countless hours each of you put in to help get our company back. I've been working with Progent for the past ten years, possibly more, and every time Progent has come through and delivered as promised. This event was a testament to your capabilities."
A probable enterprise-killing catastrophe was dodged with top-tier professionals, a wide array of knowledge, and tight teamwork. Although in post mortem the ransomware virus incident described here could have been stopped with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate security procedures for data backup and applying software patches, the reality is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thanks very much for letting me get rested after we got through the initial push. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Dayton a portfolio of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate modern machine learning capability to uncover zero-day strains of ransomware that can get past traditional signature-based security products.
For 24-Hour Dayton Crypto-Ransomware Remediation Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including protection, identification, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your organization's specific needs and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also help you to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup technology companies to create ProSight Data Protection Services, a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable non-disruptive backup and rapid restoration of vital files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to provide web-based control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of analysis for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to diagram, track, optimize and troubleshoot their networking hardware like routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and manages the configuration of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management staff and your assigned Progent consultant so any potential issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning tools to guard endpoint devices and servers and VMs against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to manage the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Service Desk: Support Desk Managed Services
Progent's Call Center services allow your information technology group to outsource Call Center services to Progent or divide responsibilities for Help Desk services seamlessly between your internal network support resources and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your core IT support group. Client interaction with the Help Desk, provision of technical assistance, escalation, ticket creation and tracking, efficiency metrics, and maintenance of the service database are consistent regardless of whether issues are taken care of by your core IT support group, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and documenting updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT team to concentrate on more strategic projects and activities that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Google Android, and other personal devices. With 2FA, when you sign into a protected application and enter your password you are requested to confirm your identity via a device that only you possess and that uses a separate network channel. A broad range of out-of-band devices can be used for this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can designate several verification devices. For details about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of real-time and in-depth management reporting utilities designed to integrate with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.