Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus additional unnamed viruses, not only encrypt online data but also infiltrate all available system restores and backups. Data synched to the cloud can also be rendered useless. In a vulnerable system, this can make automatic restoration impossible and effectively sets the network back to square one.
Getting back programs and data following a crypto-ransomware event becomes a sprint against time as the targeted business struggles to stop the spread and eradicate the virus and to restore enterprise-critical operations. Since ransomware requires time to spread, assaults are frequently launched on weekends, when successful penetrations may take longer to discover. This multiplies the difficulty of rapidly marshalling and coordinating an experienced response team.
Progent has a range of support services for protecting enterprises from ransomware attacks. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security appliances with machine learning capabilities from SentinelOne to detect and quarantine new cyber threats rapidly. Progent also provides the services of seasoned crypto-ransomware recovery engineers with the skills and perseverance to reconstruct a compromised system as urgently as possible.
Progent's Ransomware Recovery Help
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decrypt all your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the critical elements of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide range of skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is completed.
For decades, Progent has offered professional IT services for businesses in Downers Grove and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience affords Progent the capability to quickly identify important systems and consolidate the surviving components of your IT environment after a crypto-ransomware penetration and assemble them into a functioning system.
Progent's ransomware team utilizes state-of-the-art project management tools to coordinate the complicated recovery process. Progent appreciates the urgency of acting swiftly and together with a client's management and IT resources to assign priority to tasks and to get essential systems back online as fast as possible.
Business Case Study: A Successful Ransomware Attack Recovery
A business contacted Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state cybercriminals, suspected of adopting strategies exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most lucrative examples of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago with around 500 employees. The Ryuk attack had disabled all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.
"I cannot tell you enough in regards to the support Progent provided us during the most critical time of (our) company's life. We had little choice but to pay the criminal gangs except for the confidence the Progent experts provided us. That you could get our e-mail system and key applications back faster than five days was beyond my wildest dreams. Each consultant I talked with or communicated with at Progent was laser focused on getting us operational and was working at all hours on our behalf."
Progent worked with the customer to rapidly identify and prioritize the key areas that had to be addressed in order to continue business operations:
To begin, Progent adhered to ransomware event mitigation best practices by halting lateral movement and clearing infected systems. Progent then started the steps of restoring Microsoft AD, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the customer's accounting and MRP software utilized Microsoft SQL Server, which depends on Windows AD for authentication to the data.
- Windows Active Directory
- Microsoft Exchange
- MRP System
Within two days, Progent was able to restore Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery on critical applications. All Exchange ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Offline Data Files) on staff PCs in order to recover email information. A recent off-line backup of the client's financials/ERP software made it possible to recover these essential services back available to users. Although major work was left to recover totally from the Ryuk virus, the most important services were restored quickly:
"For the most part, the assembly line operation showed little impact and we delivered all customer shipments."
Over the following month key milestones in the recovery project were accomplished in tight collaboration between Progent team members and the customer:
- Internal web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent operational.
- A new Palo Alto 850 security appliance was installed.
- Most of the user workstations were operational.
"A lot of what was accomplished those first few days is mostly a haze for me, but we will not soon forget the commitment all of your team accomplished to help get our company back. I've been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was the most impressive ever."
A likely company-ending catastrophe was averted due to hard-working experts, a broad range of subject matter expertise, and tight collaboration. Although in retrospect the ransomware attack detailed here could have been stopped with up-to-date cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we got over the first week. All of you did an incredible job, and if anyone is around the Chicago area, dinner is my treat!"
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Downers Grove a range of remote monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning technology to uncover new variants of crypto-ransomware that can escape detection by legacy signature-based security products.
For Downers Grove 24/7 CryptoLocker Removal Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including filtering, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also assist you to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services, a family of offerings that provide backup-as-a-service. ProSight DPS products automate and track your backup operations and enable non-disruptive backup and fast recovery of critical files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver centralized control and world-class security for your email traffic. The powerful structure of Email Guard integrates a Cloud Protection Layer with a local gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway device adds a further layer of inspection for incoming email. For outgoing email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their networking hardware like routers and switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that need important software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network operating efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior-based analysis tools to guard endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Help Center: Call Center Managed Services
Progent's Call Center services enable your information technology staff to outsource Support Desk services to Progent or divide responsibilities for Help Desk services transparently between your in-house support group and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a seamless supplement to your core IT support resources. End user interaction with the Help Desk, delivery of technical assistance, problem escalation, trouble ticket creation and tracking, efficiency metrics, and management of the service database are consistent regardless of whether incidents are taken care of by your internal IT support organization, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide organizations of any size a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. In addition to optimizing the security and functionality of your IT environment, Progent's software/firmware update management services allow your IT team to concentrate on more strategic initiatives and tasks that derive the highest business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity verification with iOS, Google Android, and other out-of-band devices. Using 2FA, when you log into a secured application and enter your password you are asked to verify who you are via a unit that only you have and that uses a separate network channel. A broad range of out-of-band devices can be utilized as this added form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may register multiple validation devices. For details about Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time reporting utilities created to integrate with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.