Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses unprepared for an attack. Versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict harm. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus daily unnamed newcomers, not only encrypt on-line information but also infect all accessible system protection. Information synchronized to the cloud can also be rendered useless. In a poorly designed environment, it can make any restore operations hopeless and effectively knocks the datacenter back to square one.
Getting back applications and information following a ransomware outage becomes a race against the clock as the targeted organization tries its best to contain and clear the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are usually launched at night, when attacks may take longer to discover. This multiplies the difficulty of rapidly mobilizing and coordinating a capable response team.
Progent has an assortment of help services for protecting businesses from ransomware events. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security solutions with AI capabilities from SentinelOne to detect and suppress new threats intelligently. Progent also provides the assistance of veteran crypto-ransomware recovery professionals with the talent and commitment to restore a breached environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt any or all of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their files after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the mission-critical components of your Information Technology environment. Absent access to full data backups, this calls for a wide range of IT skills, top notch team management, and the willingness to work continuously until the job is complete.
For decades, Progent has made available certified expert Information Technology services for companies in Dayton and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly determine critical systems and consolidate the surviving parts of your IT environment following a ransomware event and rebuild them into a functioning system.
Progent's ransomware team of experts has state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the urgency of acting quickly and in unison with a customer's management and Information Technology resources to prioritize tasks and to get key applications back on line as fast as possible.
Business Case Study: A Successful Ransomware Penetration Restoration
A client contacted Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, possibly using techniques leaked from the U.S. National Security Agency. Ryuk seeks specific companies with limited ability to sustain operational disruption and is one of the most profitable incarnations of ransomware malware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago and has around 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for the best, but ultimately made the decision to use Progent.
"I can't speak enough in regards to the care Progent provided us throughout the most stressful time of (our) company's existence. We would have paid the cyber criminals except for the confidence the Progent experts provided us. That you were able to get our e-mail and critical servers back on-line in less than one week was earth shattering. Each consultant I worked with or e-mailed at Progent was totally committed on getting us operational and was working at all hours on our behalf."
Progent worked with the client to quickly assess and assign priority to the essential systems that had to be restored to make it possible to continue business functions:
To start, Progent followed AV/Malware Processes event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the task of restoring Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the customer's financials and MRP applications used Microsoft SQL Server, which needs Active Directory services for access to the information.
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Active Directory to its pre-virus state. Progent then initiated rebuilding and hard drive recovery on key applications. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to find local OST data files (Outlook Email Offline Data Files) on user desktop computers and laptops to recover mail messages. A not too old off-line backup of the client's accounting/ERP systems made it possible to return these essential programs back servicing users. Although a lot of work was left to recover fully from the Ryuk attack, critical systems were restored quickly:
"For the most part, the production manufacturing operation survived unscathed and we delivered all customer shipments."
Throughout the following month key milestones in the restoration project were achieved in tight collaboration between Progent consultants and the customer:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived emails was restored to operations and available for users.
- CRM/Orders/Invoicing/AP/AR/Inventory Control functions were completely restored.
- A new Palo Alto 850 firewall was deployed.
- 90% of the user desktops and notebooks were functioning as before the incident.
"So much of what went on in the early hours is mostly a haze for me, but my management will not soon forget the urgency all of the team put in to help get our business back. I've utilized Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was the most impressive ever."
A likely company-ending catastrophe was evaded by results-oriented professionals, a broad range of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware incident described here should have been prevented with current security technology solutions and ISO/IEC 27001 best practices, staff training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for allowing me to get rested after we got past the most critical parts. Everyone did an impressive job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Dayton a portfolio of online monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to uncover zero-day variants of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.
For 24-Hour Dayton Ransomware Removal Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to manage the complete threat progression including blocking, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also assist your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a selection of offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and allow transparent backup and fast restoration of critical files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment breakdown, natural calamities, fire, malware such as ransomware, user error, malicious employees, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the local security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, monitor, optimize and troubleshoot their networking hardware like routers, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always updated, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex network management activities, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, locating appliances that require critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to keep your network running at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT personnel and your Progent consultant so all looming issues can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as half of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Read more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning technology to defend endpoints and servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus products. Progent ASM services protect on-premises and cloud resources and offers a single platform to address the complete malware attack progression including blocking, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Service Center: Call Center Managed Services
Progent's Call Desk services permit your information technology team to offload Call Center services to Progent or divide activity for support services transparently between your in-house support resources and Progent's nationwide pool of certified IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent supplement to your internal network support group. Client interaction with the Help Desk, delivery of support services, problem escalation, ticket creation and updates, efficiency metrics, and management of the support database are cohesive whether incidents are resolved by your core IT support staff, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Center services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT network. Besides maximizing the protection and functionality of your IT environment, Progent's patch management services allow your in-house IT team to concentrate on more strategic projects and activities that deliver the highest business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Android, and other personal devices. Using Duo 2FA, when you log into a secured application and enter your password you are requested to verify your identity via a unit that only you have and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this second means of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You may register several validation devices. To learn more about Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of real-time management reporting plug-ins created to work with the industry's leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.