Ransomware : Your Crippling IT Nightmare
Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for organizations poorly prepared for an assault. Versions of crypto-ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with frequent unnamed malware, not only do encryption of online information but also infiltrate any available system protection mechanisms. Information synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, this can render any restoration useless and basically sets the network back to zero.
Getting back applications and information after a ransomware event becomes a race against the clock as the targeted business tries its best to contain and remove the crypto-ransomware and to restore enterprise-critical activity. Since crypto-ransomware needs time to replicate, penetrations are usually launched on weekends and holidays, when successful penetrations are likely to take longer to notice. This multiplies the difficulty of quickly mobilizing and organizing a capable response team.
Progent makes available a variety of services for protecting enterprises from crypto-ransomware events. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with machine learning technology from SentinelOne to discover and disable day-zero cyber threats rapidly. Progent in addition offers the services of expert crypto-ransomware recovery professionals with the track record and commitment to rebuild a breached environment as urgently as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed keys to unencrypt any or all of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the critical components of your IT environment. Absent access to essential information backups, this calls for a wide range of IT skills, professional project management, and the capability to work continuously until the task is over.
For two decades, Progent has made available professional IT services for businesses in Durham and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience provides Progent the ability to quickly determine necessary systems and re-organize the surviving components of your network environment after a ransomware event and assemble them into an operational network.
Progent's recovery team utilizes top notch project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of acting rapidly and together with a customer's management and Information Technology resources to prioritize tasks and to put essential services back on-line as fast as possible.
Client Case Study: A Successful Ransomware Intrusion Response
A small business escalated to Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored cybercriminals, suspected of using strategies exposed from America's NSA organization. Ryuk goes after specific companies with little tolerance for operational disruption and is among the most profitable instances of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's backups had been on-line at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for good luck, but in the end engaged Progent.
"I cannot thank you enough about the support Progent provided us throughout the most critical period of (our) company's existence. We most likely would have paid the cyber criminals if not for the confidence the Progent group afforded us. That you were able to get our e-mail and important servers back into operation faster than five days was amazing. Each expert I talked with or texted at Progent was laser focused on getting us back online and was working non-stop to bail us out."
Progent worked together with the customer to quickly understand and prioritize the key areas that needed to be addressed to make it possible to continue departmental functions:
To get going, Progent followed AV/Malware Processes event mitigation best practices by isolating and clearing up compromised systems. Progent then started the task of bringing back online Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the client's financials and MRP applications used SQL Server, which depends on Windows AD for access to the information.
- Active Directory
- Exchange Server
Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on essential systems. All Microsoft Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Offline Folder Files) on various PCs in order to recover mail messages. A not too old off-line backup of the businesses accounting/MRP systems made them able to restore these vital programs back servicing users. Although a lot of work still had to be done to recover totally from the Ryuk attack, essential services were restored quickly:
"For the most part, the production manufacturing operation was never shut down and we produced all customer sales."
Throughout the following couple of weeks important milestones in the recovery process were achieved through close cooperation between Progent consultants and the client:
- Internal web sites were brought back up with no loss of information.
- The MailStore Server exceeding four million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was deployed.
- Ninety percent of the user desktops and notebooks were fully operational.
"A lot of what happened those first few days is nearly entirely a haze for me, but we will not forget the commitment each of your team put in to help get our business back. I've entrusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was the most impressive ever."
A probable enterprise-killing disaster was avoided due to hard-working experts, a wide spectrum of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here could have been prevented with modern security technology and ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we made it through the initial fire. All of you did an amazing effort, and if anyone is in the Chicago area, dinner is my treat!"
To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Durham a range of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize modern machine learning technology to uncover zero-day strains of crypto-ransomware that can evade legacy signature-based anti-virus products.
For Durham 24-Hour CryptoLocker Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the complete threat progression including protection, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with government and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and track your backup operations and allow non-disruptive backup and rapid restoration of vital files/folders, applications, images, plus virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user error, ill-intentioned employees, or application bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security vendors to provide centralized control and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your network firewall. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, reconfigure and debug their connectivity hardware like routers, firewalls, and access points plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are kept current, captures and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need critical updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your network operating at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so that all potential problems can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which easily get by legacy signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to manage the complete malware attack progression including protection, identification, containment, remediation, and forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Service Desk: Support Desk Managed Services
Progent's Call Center managed services enable your IT team to outsource Support Desk services to Progent or split activity for support services transparently between your in-house support group and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless supplement to your internal support team. User interaction with the Service Desk, delivery of technical assistance, escalation, ticket creation and tracking, performance measurement, and maintenance of the service database are cohesive regardless of whether incidents are taken care of by your corporate IT support group, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Call Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking updates to your ever-evolving information network. In addition to maximizing the security and reliability of your IT network, Progent's software/firmware update management services allow your in-house IT team to focus on more strategic projects and tasks that deliver maximum business value from your network. Learn more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and enter your password you are asked to verify your identity on a device that only you have and that uses a separate network channel. A broad selection of out-of-band devices can be used for this second means of authentication such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register several validation devices. To find out more about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time reporting tools designed to integrate with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.