Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that poses an extinction-level danger for businesses of all sizes poorly prepared for an assault. Multiple generations of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to cause damage. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus frequent as yet unnamed malware, not only encrypt on-line critical data but also infiltrate any available system restores and backups. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, it can render any restore operations hopeless and effectively knocks the network back to square one.
Getting back online services and information after a ransomware intrusion becomes a race against the clock as the victim struggles to stop lateral movement, clear the crypto-ransomware, and resume business-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are often sprung at night, when attacks may take more time to uncover. This compounds the difficulty of quickly assembling and organizing a capable response team.
Progent offers an assortment of help services for securing enterprises from ransomware penetrations. These include team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with machine learning technology from SentinelOne to discover and quarantine zero-day cyber threats rapidly. Progent in addition provides the services of experienced ransomware recovery professionals with the skills and commitment to reconstruct a breached environment as quickly as possible.
Progent's Ransomware Restoration Support Services
After a ransomware invasion, sending the ransom in cryptocurrency does not guarantee that merciless criminals will provide the needed keys to unencrypt any of your information. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The alternative is to setup from scratch the vital parts of your IT environment. Without the availability of complete data backups, this requires a broad range of skills, professional team management, and the capability to work non-stop until the job is done.
For decades, Progent has provided professional Information Technology services for businesses across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the ability to rapidly identify critical systems and consolidate the remaining parts of your Information Technology environment following a ransomware attack and configure them into an operational network.
Progent's security group deploys top notch project management systems to coordinate the complex restoration process. Progent appreciates the importance of working rapidly and together with a customer's management and IT team members to assign priority to tasks and to put key services back on line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Response
A client hired Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of adopting approaches leaked from America's NSA organization. Ryuk seeks specific businesses with little room for operational disruption and is among the most profitable examples of ransomware viruses. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with around 500 staff members. The Ryuk event had frozen all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for good luck, but in the end engaged Progent.
"I can't say enough about the help Progent gave us during the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent team provided us. That you could get our messaging and production applications back on-line faster than a week was something I thought impossible. Every single expert I got help from or communicated with at Progent was totally committed on getting us back on-line and was working non-stop to bail us out."
Progent worked with the customer to quickly identify and prioritize the critical systems that needed to be addressed in order to continue business operations:
- Active Directory (AD)
- Microsoft Exchange Email
- Financials/MRP
To begin, Progent adhered to AV/Malware Processes event response industry best practices by isolating and clearing up compromised systems. Progent then started the process of restoring Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange email will not function without Windows AD, and the customer's accounting and MRP system used SQL Server, which depends on Windows AD for security authorization to the databases.
In less than two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then helped perform setup and hard drive recovery on essential applications. All Exchange data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Off-Line Data Files) on staff workstations in order to recover email data. A recent offline backup of the client's financials/MRP software made them able to restore these required applications back online for users. Although a large amount of work was left to recover fully from the Ryuk virus, core services were returned to operations quickly:
"For the most part, the assembly line operation did not miss a beat and we produced all customer sales."
Over the following couple of weeks key milestones in the restoration project were achieved through close collaboration between Progent engineers and the client:
- In-house web applications were brought back up with no loss of information.
- The MailStore Exchange Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory modules were completely restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the user desktops were fully operational.
"Much of what occurred during the initial response is nearly entirely a fog for me, but my team will not forget the dedication all of the team put in to give us our company back. I've been working with Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."
Conclusion
A potential business extinction disaster was avoided with dedicated experts, a wide range of IT skills, and tight teamwork. Although in retrospect the ransomware attack detailed here would have been disabled with advanced security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and well thought out incident response procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), I'm grateful for letting me get some sleep after we made it through the initial fire. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Detroit a range of online monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services include modern machine learning technology to detect zero-day strains of ransomware that can escape detection by traditional signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire threat progression including blocking, identification, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with legal and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services, a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and allow transparent backup and fast restoration of important files/folders, applications, system images, plus VMs. ProSight DPS lets you protect against data loss resulting from hardware breakdown, natural disasters, fire, malware such as ransomware, user mistakes, malicious insiders, or software bugs. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to provide web-based control and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a further level of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, optimize and debug their connectivity appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always current, copies and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that need important updates, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT personnel and your Progent consultant so that all looming issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning technology to defend endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based AV tools. Progent ASM services protect local and cloud-based resources and offers a unified platform to address the complete threat progression including filtering, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Help Center: Help Desk Managed Services
Progent's Help Desk services permit your information technology staff to offload Call Center services to Progent or split responsibilities for Help Desk services transparently between your in-house support resources and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless extension of your internal support organization. User interaction with the Help Desk, provision of support services, issue escalation, ticket generation and updates, performance measurement, and maintenance of the service database are cohesive regardless of whether issues are resolved by your core network support resources, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. Besides maximizing the security and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT team to focus on line-of-business projects and tasks that deliver maximum business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are requested to verify your identity on a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be used for this added form of ID validation including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate several verification devices. For more information about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding suite of real-time reporting tools designed to integrate with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like spotty support follow-up or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Detroit Crypto-Ransomware Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.