Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an extinction-level threat for organizations unprepared for an assault. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and still inflict destruction. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus more as yet unnamed viruses, not only encrypt on-line data files but also infiltrate many accessible system restores and backups. Information replicated to the cloud can also be corrupted. In a vulnerable environment, this can render automated restore operations hopeless and basically knocks the entire system back to square one.
Getting back on-line services and information following a ransomware event becomes a sprint against the clock as the targeted organization tries its best to stop the spread and cleanup the ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware requires time to spread, attacks are often launched during nights and weekends, when successful attacks typically take longer to recognize. This compounds the difficulty of quickly assembling and organizing a knowledgeable mitigation team.
Progent offers a variety of solutions for securing organizations from ransomware penetrations. These include team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security solutions with AI technology from SentinelOne to detect and extinguish new cyber threats automatically. Progent in addition provides the services of veteran ransomware recovery consultants with the talent and perseverance to rebuild a breached network as quickly as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the keys to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the key parts of your Information Technology environment. Without the availability of complete information backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work non-stop until the job is over.
For twenty years, Progent has made available professional Information Technology services for companies in Edmonton and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of experience affords Progent the skills to quickly understand necessary systems and re-organize the surviving parts of your computer network environment following a crypto-ransomware penetration and assemble them into a functioning network.
Progent's recovery group utilizes powerful project management tools to orchestrate the complex recovery process. Progent appreciates the importance of working rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to put critical services back on-line as fast as possible.
Customer Story: A Successful Ransomware Intrusion Recovery
A small business engaged Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, possibly using strategies leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little ability to sustain disruption and is among the most profitable versions of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago and has around 500 employees. The Ryuk penetration had paralyzed all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the beginning of the intrusion and were damaged. The client considered paying the ransom demand (exceeding $200,000) and praying for the best, but in the end brought in Progent.
"I cannot speak enough in regards to the care Progent provided us during the most critical period of (our) businesses survival. We would have paid the hackers behind this attack if not for the confidence the Progent experts provided us. That you were able to get our e-mail system and critical applications back into operation sooner than five days was incredible. Each consultant I talked with or texted at Progent was hell bent on getting our company operational and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly determine and assign priority to the most important areas that needed to be recovered to make it possible to continue business functions:
- Active Directory
- E-Mail
- Accounting/MRP
To start, Progent followed ransomware incident response industry best practices by halting lateral movement and removing active viruses. Progent then initiated the steps of rebuilding Microsoft AD, the heart of enterprise networks built upon Microsoft technology. Exchange messaging will not operate without Windows AD, and the businesses' financials and MRP system utilized Microsoft SQL, which depends on Active Directory services for access to the data.
Within two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery on critical applications. All Microsoft Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Off-Line Data Files) on user workstations and laptops in order to recover mail data. A not too old off-line backup of the client's accounting/MRP systems made them able to restore these vital programs back online. Although significant work was left to recover totally from the Ryuk event, essential systems were restored rapidly:
"For the most part, the assembly line operation did not miss a beat and we did not miss any customer orders."
During the next few weeks key milestones in the recovery project were achieved in close collaboration between Progent team members and the customer:
- Internal web applications were brought back up without losing any information.
- The MailStore Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were fully recovered.
- A new Palo Alto 850 security appliance was deployed.
- Most of the user desktops were being used by staff.
"A huge amount of what went on in the initial days is mostly a fog for me, but I will not soon forget the urgency each and every one of your team put in to give us our business back. I've entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."
Conclusion
A likely enterprise-killing catastrophe was avoided due to results-oriented experts, a broad spectrum of IT skills, and close collaboration. Although in hindsight the ransomware virus attack described here would have been identified and blocked with advanced cyber security technology solutions and NIST Cybersecurity Framework best practices, team training, and properly executed security procedures for data backup and proper patching controls, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thanks very much for making it so I could get rested after we made it over the first week. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Edmonton a range of online monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services incorporate modern AI technology to uncover zero-day strains of crypto-ransomware that are able to evade legacy signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the entire malware attack lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP deployment that addresses your company's specific requirements and that allows you prove compliance with legal and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also assist you to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a family of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup processes and allow transparent backup and rapid recovery of important files, applications, images, plus VMs. ProSight DPS lets you protect against data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security vendors to deliver centralized control and world-class security for all your email traffic. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, track, enhance and troubleshoot their networking appliances like switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating tedious management processes, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that need important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so any looming problems can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to half of time spent looking for vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning tools to defend endpoints and servers and VMs against new malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus products. Progent ASM services protect local and cloud resources and provides a unified platform to automate the entire malware attack progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
Progent's Call Center services enable your information technology group to outsource Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house network support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth extension of your internal IT support group. User interaction with the Help Desk, provision of technical assistance, problem escalation, ticket creation and updates, efficiency metrics, and maintenance of the support database are consistent regardless of whether incidents are resolved by your core support group, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Patch Management Services
Progent's support services for patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. In addition to optimizing the protection and reliability of your IT environment, Progent's patch management services free up time for your in-house IT team to focus on line-of-business initiatives and tasks that derive maximum business value from your network. Read more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo enables single-tap identity confirmation on iOS, Android, and other out-of-band devices. With 2FA, when you sign into a protected application and enter your password you are requested to confirm who you are via a unit that only you possess and that is accessed using a different network channel. A wide selection of out-of-band devices can be used as this second means of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. For more information about Duo two-factor identity validation services, visit Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time reporting plug-ins created to integrate with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Edmonton Ransomware Recovery Support Services, contact Progent at 800-462-8800 or go to Contact Progent.