Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Different versions of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still inflict damage. The latest versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as frequent as yet unnamed viruses, not only do encryption of online data but also infect all available system restores and backups. Information synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, it can make automated restore operations impossible and effectively knocks the datacenter back to square one.
Recovering programs and data following a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop lateral movement and eradicate the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are usually launched during nights and weekends, when successful attacks typically take longer to recognize. This compounds the difficulty of rapidly assembling and organizing a qualified mitigation team.
Progent offers an assortment of help services for securing businesses from crypto-ransomware events. Among these are user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with AI capabilities from SentinelOne to identify and suppress new cyber threats rapidly. Progent in addition provides the assistance of experienced crypto-ransomware recovery engineers with the skills and commitment to restore a breached environment as urgently as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to unencrypt any or all of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the critical elements of your IT environment. Without the availability of full information backups, this calls for a wide range of skill sets, top notch project management, and the ability to work 24x7 until the task is over.
For twenty years, Progent has offered certified expert IT services for businesses in Detroit and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise gives Progent the capability to knowledgably determine necessary systems and integrate the surviving components of your IT system following a crypto-ransomware penetration and rebuild them into a functioning network.
Progent's ransomware group deploys powerful project management applications to orchestrate the complex recovery process. Progent understands the importance of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to put critical services back online as soon as possible.
Business Case Study: A Successful Ransomware Incident Response
A small business contacted Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state sponsored criminal gangs, suspected of using techniques exposed from America's NSA organization. Ryuk targets specific organizations with little or no tolerance for operational disruption and is one of the most profitable incarnations of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area and has around 500 employees. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.
"I cannot speak enough in regards to the help Progent provided us during the most stressful time of (our) businesses survival. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent team provided us. The fact that you could get our messaging and key applications back faster than a week was something I thought impossible. Every single expert I interacted with or communicated with at Progent was amazingly focused on getting us operational and was working at all hours on our behalf."
Progent worked hand in hand the client to quickly assess and prioritize the essential areas that needed to be recovered to make it possible to restart departmental operations:
- Windows Active Directory
- Microsoft Exchange Server
- MRP System
To begin, Progent adhered to ransomware event mitigation industry best practices by isolating and disinfecting systems. Progent then began the task of bringing back online Windows Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not operate without Windows AD, and the customer's accounting and MRP applications utilized SQL Server, which depends on Windows AD for access to the databases.
Within two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery on the most important servers. All Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Data Files) on various desktop computers in order to recover mail data. A not too old offline backup of the client's financials/ERP systems made it possible to restore these required programs back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, the most important systems were recovered rapidly:
"For the most part, the assembly line operation was never shut down and we produced all customer sales."
Over the following couple of weeks key milestones in the recovery process were achieved through tight collaboration between Progent team members and the client:
- Internal web applications were returned to operation with no loss of data.
- The MailStore Exchange Server with over four million archived messages was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory functions were 100% operational.
- A new Palo Alto 850 security appliance was brought online.
- Most of the user desktops were fully operational.
"A lot of what happened during the initial response is mostly a haze for me, but I will not forget the dedication each and every one of the team accomplished to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."
Conclusion
A probable business catastrophe was avoided due to dedicated professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in retrospect the ransomware penetration detailed here would have been identified and prevented with current cyber security technology solutions and NIST Cybersecurity Framework best practices, team education, and properly executed incident response procedures for information protection and proper patching controls, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get some sleep after we made it over the initial push. All of you did an fabulous job, and if any of your guys is around the Chicago area, dinner is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Detroit a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include modern machine learning technology to uncover new strains of crypto-ransomware that are able to escape detection by traditional signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack progression including protection, identification, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also assist you to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with leading backup technology companies to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and track your backup processes and allow non-disruptive backup and rapid restoration of critical files/folders, applications, images, and virtual machines. ProSight DPS lets your business protect against data loss caused by equipment failures, natural disasters, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these fully managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to deliver web-based control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further layer of inspection for inbound email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding appliances that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management staff and your Progent consultant so that any looming problems can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning technology to guard endpoint devices and physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to address the complete threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Call Center services enable your IT staff to offload Call Center services to Progent or split activity for support services seamlessly between your internal support group and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent extension of your corporate network support resources. Client interaction with the Service Desk, provision of support services, problem escalation, trouble ticket generation and updates, performance measurement, and maintenance of the support database are cohesive whether incidents are resolved by your corporate support group, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide organizations of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving IT system. Besides maximizing the security and reliability of your computer network, Progent's patch management services permit your IT staff to concentrate on line-of-business initiatives and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo supports one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and give your password you are requested to confirm your identity on a unit that only you possess and that is accessed using a different network channel. A wide range of out-of-band devices can be utilized for this added form of authentication such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate several validation devices. For more information about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing line of real-time reporting utilities designed to work with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Detroit Ransomware Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.